AWS EKS Access Entry Modified

  1[metadata]
  2creation_date = "2026/05/06"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/05/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication
 11mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and
 12what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers
 13or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl,
 14Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.
 15"""
 16false_positives = [
 17    """
 18    Cluster provisioning, GitOps, or approved platform automation may perform these APIs under IAM principals whose ARNs do
 19    not match the exclusion patterns. Baseline expected roles and expand exclusions if needed.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS EKS Access Entry Modified"
 27note = """## Triage and analysis
 28
 29### Investigating AWS EKS Access Entry Modified
 30
 31Review aws.cloudtrail.user_identity (ARN, type), user.name, source.ip, user_agent.original, cloud.account.id, and
 32cloud.region. Map event.action to intent: new principal (CreateAccessEntry), policy binding changes (AssociateAccessPolicy,
 33DisassociateAccessPolicy), metadata updates (UpdateAccessEntry), or removal (DeleteAccessEntry).
 34
 35### Possible investigation steps
 36
 37- Inspect aws.cloudtrail.request_parameters and response_elements for cluster name, principal ARN, and policy ARNs.
 38- Compare against change management and infrastructure-as-code deploy windows.
 39- Correlate with Kubernetes audit logs for subsequent API activity from identities tied to the affected access entry.
 40- Pair with the higher-fidelity rule EKS Access Entry Granted Cluster Admin Policy when AssociateAccessPolicy fires.
 41
 42### Response and remediation
 43
 44- If unauthorized, revert access entry changes via AWS APIs or console; restrict eks:* permissions and review SCPs.
 45- Rotate credentials for compromised IAM principals as appropriate.
 46
 47### Additional information
 48
 49- [Amazon EKS access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html)
 50"""
 51references = [
 52    "https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html",
 53]
 54risk_score = 47
 55rule_id = "90c0ce77-3fb4-484f-a8ad-4648e12b35b1"
 56severity = "medium"
 57tags = [
 58    "Domain: Cloud",
 59    "Domain: Kubernetes",
 60    "Data Source: AWS",
 61    "Data Source: Amazon Web Services",
 62    "Data Source: AWS CloudTrail",
 63    "Use Case: Threat Detection",
 64    "Tactic: Persistence",
 65    "Tactic: Privilege Escalation",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "query"
 70query = '''
 71data_stream.dataset:"aws.cloudtrail" and event.provider:"eks.amazonaws.com" and
 72event.action:("CreateAccessEntry" or "AssociateAccessPolicy" or "UpdateAccessEntry" or "DisassociateAccessPolicy" or "DeleteAccessEntry") and
 73event.outcome:"success" and
 74not aws.cloudtrail.user_identity.arn:(*AWSServiceRoleForAmazonEKS* or *eksctl* or *terraform* or *AWSCloudFormation*)
 75'''
 76
 77[rule.investigation_fields]
 78field_names = [
 79    "@timestamp",
 80    "user.name",
 81    "user_agent.original",
 82    "source.ip",
 83    "aws.cloudtrail.user_identity.arn",
 84    "aws.cloudtrail.user_identity.type",
 85    "event.action",
 86    "event.outcome",
 87    "cloud.account.id",
 88    "cloud.region",
 89    "aws.cloudtrail.request_parameters",
 90    "aws.cloudtrail.response_elements",
 91]
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95
 96[[rule.threat.technique]]
 97id = "T1098"
 98name = "Account Manipulation"
 99reference = "https://attack.mitre.org/techniques/T1098/"
100
101[[rule.threat.technique.subtechnique]]
102id = "T1098.006"
103name = "Additional Container Cluster Roles"
104reference = "https://attack.mitre.org/techniques/T1098/006/"
105
106[rule.threat.tactic]
107id = "TA0003"
108name = "Persistence"
109reference = "https://attack.mitre.org/tactics/TA0003/"
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113
114[[rule.threat.technique]]
115id = "T1098"
116name = "Account Manipulation"
117reference = "https://attack.mitre.org/techniques/T1098/"
118
119[[rule.threat.technique.subtechnique]]
120id = "T1098.006"
121name = "Additional Container Cluster Roles"
122reference = "https://attack.mitre.org/techniques/T1098/006/"
123
124[rule.threat.tactic]
125id = "TA0004"
126name = "Privilege Escalation"
127reference = "https://attack.mitre.org/tactics/TA0004/"