AWS EKS Access Entry Granted Cluster Admin Policy

  1[metadata]
  2creation_date = "2026/05/06"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/05/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS
 11Access Entries API. This grants full cluster-admin equivalent access to the specified IAM user or role. Unlike the
 12legacy aws-auth ConfigMap which is only visible in Kubernetes audit logs, Access Entries modifications appear in
 13CloudTrail, providing an additional detection surface. Attackers who have obtained IAM permissions to manage EKS
 14access entries can use this API to backdoor cluster access for persistence, mapping attacker-controlled IAM
 15identities to cluster-admin privileges without modifying any Kubernetes resources.
 16"""
 17false_positives = [
 18    """
 19    Platform or security teams may legitimately associate these policies during cluster onboarding, break-glass admin
 20    setup, or controlled RBAC migrations from aws-auth. Validate the caller, change ticket, and target IAM principal.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS EKS Access Entry Granted Cluster Admin Policy"
 28note = """## Triage and analysis
 29
 30### Investigating AWS EKS Access Entry Granted Cluster Admin Policy
 31
 32Successful AssociateAccessPolicy with AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy binds highly privileged
 33Kubernetes access to an IAM principal. Review who invoked the API (user.name, aws.cloudtrail.user_identity fields),
 34source.ip, user_agent.original, cloud.account.id, and cloud.region.
 35
 36### Possible investigation steps
 37
 38- Parse aws.cloudtrail.request_parameters and response elements for cluster name, access entry ARN, and policy ARN.
 39- Confirm whether the IAM principal receiving the policy is expected to have cluster-admin-class access.
 40- Correlate with other EKS API calls (CreateAccessEntry, UpdateAccessEntry) and with Kubernetes audit activity from
 41  newly authorized principals.
 42- Compare against change records for migrations from aws-auth or new administrator onboarding.
 43
 44### Response and remediation
 45
 46- If unauthorized, disassociate the policy or remove the access entry per AWS guidance; audit who can call eks:*
 47  APIs in IAM.
 48- Rotate credentials for any suspected compromised IAM principal; review organizational SCPs and cluster auth mode.
 49
 50### Additional information
 51
 52- [Amazon EKS access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html)
 53- [AssociateAccessPolicy](https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateAccessPolicy.html)
 54"""
 55references = [
 56    "https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html",
 57    "https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateAccessPolicy.html",
 58]
 59risk_score = 73
 60rule_id = "9550ec87-e73c-4baa-ad44-e448a33fbc3d"
 61severity = "high"
 62tags = [
 63    "Domain: Cloud",
 64    "Domain: Kubernetes",
 65    "Data Source: AWS",
 66    "Data Source: Amazon Web Services",
 67    "Data Source: AWS CloudTrail",
 68    "Use Case: Threat Detection",
 69    "Tactic: Privilege Escalation",
 70    "Tactic: Persistence",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "query"
 75query = '''
 76data_stream.dataset:"aws.cloudtrail" and
 77event.provider:"eks.amazonaws.com" and
 78event.action:"AssociateAccessPolicy" and
 79event.outcome:"success" and
 80aws.cloudtrail.request_parameters:(*AmazonEKSClusterAdminPolicy* or *AmazonEKSAdminPolicy*)
 81'''
 82
 83[rule.investigation_fields]
 84field_names = [
 85    "@timestamp",
 86    "user.name",
 87    "user_agent.original",
 88    "source.ip",
 89    "aws.cloudtrail.user_identity.arn",
 90    "aws.cloudtrail.user_identity.type",
 91    "event.action",
 92    "event.outcome",
 93    "cloud.account.id",
 94    "cloud.region",
 95    "aws.cloudtrail.request_parameters",
 96    "aws.cloudtrail.response_elements",
 97]
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1098"
104name = "Account Manipulation"
105reference = "https://attack.mitre.org/techniques/T1098/"
106
107[[rule.threat.technique.subtechnique]]
108id = "T1098.006"
109name = "Additional Container Cluster Roles"
110reference = "https://attack.mitre.org/techniques/T1098/006/"
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119
120[[rule.threat.technique]]
121id = "T1098"
122name = "Account Manipulation"
123reference = "https://attack.mitre.org/techniques/T1098/"
124
125[[rule.threat.technique.subtechnique]]
126id = "T1098.006"
127name = "Additional Container Cluster Roles"
128reference = "https://attack.mitre.org/techniques/T1098/006/"
129
130[rule.threat.tactic]
131id = "TA0003"
132name = "Persistence"
133reference = "https://attack.mitre.org/tactics/TA0003/"