Skip to main content

AWS EKS cluster endpoint modified to allow public access

ID:aws_eks_endpoint_public
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0001:T1190

Description

AlphaSOC detected a modification to an Amazon Elastic Kubernetes Service (EKS) cluster endpoint configuration enabling public access. EKS endpoints allow communication with the Kubernetes API server. Modifying endpoint access controls can expose cluster management capabilities to unauthorized users on the internet.

Impact

Public access to EKS endpoints creates a risk of unauthorized cluster access, potential container compromise, and resource hijacking for cryptomining. Threat actors can exploit public endpoints to enumerate resources, deploy malicious workloads, or pivot to other AWS services.

Severity

SeverityCondition
Low
AWS EKS cluster endpoint modified to allow public access

Investigation and Remediation

Review CloudTrail logs to identify users who modified endpoints. Analyze IAM policies and RBAC settings for unauthorized changes. Reconfigure endpoints to restrict access to the private VPC and implement security group controls. Review cluster resources for signs of unauthorized access.

Known False Positives

  • Initial cluster creation with default public endpoints