LoFP / legitimate node group lifecycle, cluster upgrades, or infrastructure-as-code (terraform, cloudformation, eksctl) may update aws-auth during expected change windows. baseline automation identities and expand exclusions beyond eks:kms-storage-migrator if your environment uses additional known controllers.

Techniques

• T1098

Sample rules

EKS Authentication Configuration Modified

• source: elastic
• technicques:
  • T1098

Description

Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.

Detection logic

data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"configmaps" and 
kubernetes.audit.objectRef.name:"aws-auth" and 
kubernetes.audit.verb:("update" or "patch" or "delete") and 
kubernetes.audit.objectRef.namespace:"kube-system" and 
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:"eks:kms-storage-migrator"