AWS principal granted access to many EKS clusters
Description
AlphaSOC detected that an AWS principal was granted access to multiple Amazon EKS clusters. This may indicate an attempt by threat actors to establish persistent access to the AWS EKS environment.
Impact
Granting a single principal access to multiple EKS clusters increases the attack surface and potential impact of a compromise. If this principal is compromised, threat actors could gain unauthorized access to multiple Kubernetes environments, potentially exposing sensitive workloads, secrets, and data across different clusters, or causing service disruptions across the AWS EKS infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | AWS principal granted access to many EKS clusters |
Investigation and Remediation
Review AWS CloudTrail logs to identify the principal that was granted access to multiple EKS clusters and determine who initiated these changes. Verify the principal's legitimate need for multi-cluster access and whether this configuration was intended and authorized. If unauthorized, immediately revoke the excessive permissions, rotate any potentially compromised credentials, and implement least privilege access policies that limit principals to only the EKS clusters they require. Conduct a comprehensive security audit of your AWS environment to identify any other potential misconfigurations or indicators of compromise.