LoFP / cluster provisioning, gitops, or approved platform automation may perform these apis under iam principals whose arns do not match the exclusion patterns. baseline expected roles and expand exclusions if needed.

Techniques

• T1098

Sample rules

AWS EKS Access Entry Modified

• source: elastic
• technicques:
  • T1098

Description

Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.

Detection logic

data_stream.dataset:"aws.cloudtrail" and event.provider:"eks.amazonaws.com" and
event.action:("CreateAccessEntry" or "AssociateAccessPolicy" or "UpdateAccessEntry" or "DisassociateAccessPolicy" or "DeleteAccessEntry") and
event.outcome:"success" and
not aws.cloudtrail.user_identity.arn:(*AWSServiceRoleForAmazonEKS* or *eksctl* or *terraform* or *AWSCloudFormation*)