AWS EC2 new event for EKS Node Group

cloudtrail

Classification:

attack

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS EKS node group makes a new API call.

Strategy

This rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.

A new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.

Triage and response

  1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.
  2. Review any other security signals for the AWS EKS node group.
  3. If the activity is deemed malicious:
    • If possible, isolate the compromised hosts.
    • Determine what other API calls were made by the EKS node group.
    • Begin your organization’s incident response process and investigate.