AWS principal granted access to a EKS cluster then removed

Goal

Detect when an AWS principal is assigned permissions on an Amazon EKS cluster, and removed permissions shortly after. This can be an indicator of an attacker temporarily granting themselves access to an EKS cluster, then removing permissions to stay under the radar.

Strategy

This rule leverages CloudTrail and triggers if an event CreateAccessEntry is followed by DeleteAccessEntry for the same AWS principal within 1 hour.

To learn more about EKS Cluster Access Management, see this guide on Datadog Security Labs: Deep dive into the new Amazon EKS Cluster Access Management features.

Triage and response

  1. Determine if @requestParameters.principalArn should have access to the EKS cluster.
  2. Determine if {{@userIdentity.session_name}} should have granted permissions on the EKS cluster.
  3. If the API calls were not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Revert the permissions change by removing the access entry.
  1. If the API calls were made by the user:
  • Determine if the user should be granting access to the cluster.
  • If not, see if other API calls were made by the user and determine if they warrant further investigation.