- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Detect when an AWS principal is assigned permissions on an Amazon EKS cluster, and removed permissions shortly after. This can be an indicator of an attacker temporarily granting themselves access to an EKS cluster, then removing permissions to stay under the radar.
This rule leverages CloudTrail and triggers if an event CreateAccessEntry
is followed by DeleteAccessEntry
for the same AWS principal within 1 hour.
To learn more about EKS Cluster Access Management, see this guide on Datadog Security Labs: Deep dive into the new Amazon EKS Cluster Access Management features.
@requestParameters.principalArn
should have access to the EKS cluster.{{@userIdentity.session_name}}
should have granted permissions on the EKS cluster.