AWS EC2 new event for EKS Node Group

cloudtrail

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an AWS EKS node group makes a new API call.

Strategy

This rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.

A new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.

Triage and response

  1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.
  2. Review any other security signals for the AWS EKS node group.
  3. If the activity is deemed malicious:
    • If possible, isolate the compromised hosts.
    • Determine what other API calls were made by the EKS node group.
    • Begin your organization’s incident response process and investigate.