AWS principal granted access to a EKS cluster then removed

문서 > Datadog 보안 > OOTB Rules > AWS principal granted access to a EKS cluster then removed

Classification:

attack

Tactic:

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS principal is assigned permissions on an Amazon EKS cluster, and removed permissions shortly after. This can be an indicator of an attacker temporarily granting themselves access to an EKS cluster, then removing permissions to stay under the radar.

Strategy

This rule leverages CloudTrail and triggers if an event CreateAccessEntry is followed by DeleteAccessEntry for the same AWS principal within 1 hour.

To learn more about EKS Cluster Access Management, see this guide on Datadog Security Labs: Deep dive into the new Amazon EKS Cluster Access Management features.

Triage and response

Determine if @requestParameters.principalArn should have access to the EKS cluster.
Determine if {{@userIdentity.session_name}} should have granted permissions on the EKS cluster.
If the API calls were not made by the user:

Rotate user credentials.
Determine what other API calls were made by the user.
Revert the permissions change by removing the access entry.

If the API calls were made by the user:

Determine if the user should be granting access to the cluster.
If not, see if other API calls were made by the user and determine if they warrant further investigation.