EKS Authentication Configuration Modified

May 14, 2026 · Data Source: Kubernetes Domain: Kubernetes Use Case: Threat Detection Tactic: Persistence Tactic: Privilege Escalation Resources: Investigation Guide ·

Share on:

Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/05/06"
  3integration = ["kubernetes"]
  4maturity = "production"
  5updated_date = "2026/05/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and
 11users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a
 12mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node
 13replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects.
 14Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and
 15updated only during node group or access configuration changes.
 16"""
 17false_positives = [
 18    """
 19    Legitimate node group lifecycle, cluster upgrades, or infrastructure-as-code (Terraform, CloudFormation, eksctl) may
 20    update aws-auth during expected change windows. Baseline automation identities and expand exclusions beyond
 21    eks:kms-storage-migrator if your environment uses additional known controllers.
 22    """,
 23]
 24from = "now-9m"
 25index = ["logs-kubernetes.audit_logs-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "EKS Authentication Configuration Modified"
 29note = """## Triage and analysis
 30
 31### Investigating EKS Authentication Configuration Modified
 32
 33Confirm who changed the mapping (user.name, groups, source.ip, user_agent.original) and whether the change aligns with
 34approved cluster or node-group operations. Compare the new aws-auth mapRoles/mapUsers content to the prior revision if
 35request/response capture is available in audit.
 36
 37### Possible investigation steps
 38
 39- Identify any new IAM role ARNs or users bound to system:masters or other privileged Kubernetes groups.
 40- Correlate the timestamp with AWS CloudTrail for related EKS or IAM API activity and with GitOps or pipeline commits.
 41- Review subsequent API activity from newly mapped IAM principals for secret access, RBAC changes, or workload deployment.
 42- If Access Entries are enabled, also review CloudTrail for eks:CreateAccessEntry, eks:AssociateAccessPolicy, and similar
 43  API calls around the same window.
 44
 45### Response and remediation
 46
 47- If unauthorized, revert aws-auth from a known-good backup, remove rogue map entries, and rotate or restrict IAM that
 48  could have performed the change.
 49- Audit IAM policies that allow eks:UpdateClusterConfig or broad ConfigMap write access to kube-system.
 50- Escalate per incident policy when system:masters mappings appear from unexpected IAM identities.
 51"""
 52references = [
 53    "https://docs.aws.amazon.com/eks/latest/userguide/auth-configmap.html",
 54    "https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html"
 55]
 56risk_score = 73
 57rule_id = "5202697c-313b-4bf0-9029-73fe78cd4b6d"
 58severity = "high"
 59tags = [
 60    "Data Source: Kubernetes",
 61    "Domain: Kubernetes",
 62    "Use Case: Threat Detection",
 63    "Tactic: Persistence",
 64    "Tactic: Privilege Escalation",
 65    "Resources: Investigation Guide",
 66]
 67timestamp_override = "event.ingested"
 68type = "query"
 69query = '''
 70data_stream.dataset:"kubernetes.audit_logs" and 
 71kubernetes.audit.objectRef.resource:"configmaps" and 
 72kubernetes.audit.objectRef.name:"aws-auth" and 
 73kubernetes.audit.verb:("update" or "patch" or "delete") and 
 74kubernetes.audit.objectRef.namespace:"kube-system" and 
 75kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
 76not user.name:"eks:kms-storage-migrator"
 77'''
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81
 82[[rule.threat.technique]]
 83id = "T1098"
 84name = "Account Manipulation"
 85reference = "https://attack.mitre.org/techniques/T1098/"
 86
 87[[rule.threat.technique.subtechnique]]
 88id = "T1098.006"
 89name = "Additional Container Cluster Roles"
 90reference = "https://attack.mitre.org/techniques/T1098/006/"
 91
 92[rule.threat.tactic]
 93id = "TA0003"
 94name = "Persistence"
 95reference = "https://attack.mitre.org/tactics/TA0003/"
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99
100[[rule.threat.technique]]
101id = "T1098"
102name = "Account Manipulation"
103reference = "https://attack.mitre.org/techniques/T1098/"
104
105[[rule.threat.technique.subtechnique]]
106id = "T1098.006"
107name = "Additional Container Cluster Roles"
108reference = "https://attack.mitre.org/techniques/T1098/006/"
109
110[rule.threat.tactic]
111id = "TA0004"
112name = "Privilege Escalation"
113reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Investigating EKS Authentication Configuration Modified

Confirm who changed the mapping (user.name, groups, source.ip, user_agent.original) and whether the change aligns with approved cluster or node-group operations. Compare the new aws-auth mapRoles/mapUsers content to the prior revision if request/response capture is available in audit.

Possible investigation steps

Identify any new IAM role ARNs or users bound to system:masters or other privileged Kubernetes groups.
Correlate the timestamp with AWS CloudTrail for related EKS or IAM API activity and with GitOps or pipeline commits.
Review subsequent API activity from newly mapped IAM principals for secret access, RBAC changes, or workload deployment.
If Access Entries are enabled, also review CloudTrail for eks:CreateAccessEntry, eks:AssociateAccessPolicy, and similar API calls around the same window.

Response and remediation

If unauthorized, revert aws-auth from a known-good backup, remove rogue map entries, and rotate or restrict IAM that could have performed the change.
Audit IAM policies that allow eks:UpdateClusterConfig or broad ConfigMap write access to kube-system.
Escalate per incident policy when system:masters mappings appear from unexpected IAM identities.

References

Grant IAM users access to Kubernetes with a ConfigMap - Amazon EKS

Learn how to manage IAM principal access to your Amazon EKS cluster using the aws-auth ConfigMap and Kubernetes RBAC, allowing authorized users and roles to interact with the cluster securely.

Read More
Grant IAM users access to Kubernetes with EKS access entries - Amazon EKS

Learn how to manage access entries for IAM principals to your Amazon EKS cluster, including creating, updating, and deleting access entries for fine-grained authentication and authorization.

Read More