On January 25, 2022, Amazon GuardDuty will start monitoring Amazon Elastic Kubernetes Service (Amazon EKS) clusters continuously to identify malicious or suspicious behavior that could represent threats to container workloads. Amazon GuardDuty for EKS Protection will look at activity in the control plane by analyzing Kubernetes audit logs from existing and new Amazon EKS clusters in your accounts. GuardDuty is integrated with Amazon EKS, so it can get direct access to the Kubernetes audit logs without you having to turn on or store these logs. Once a threat is detected, GuardDuty will generate a security finding that includes container details such as pod ID, container image ID, and associated tags.
We’ve built a platform for Cloud Detection & Response in AWS including EKS, Azure, and GCP — you can grab a demo here. We integrate directly with GuardDuty. You can also download free playbooks we’ve written on how to respond to security incidents in AWS, Azure, and GCP.
At launch, GuardDuty for EKS Protection will include 27 new GuardDuty finding types that can help detect threats related to user and application activity captured in Kubernetes audit logs. GuardDuty for EKS Protection will be enabled by default for all new and existing GuardDuty accounts, and will not require any additional configuration of GuardDuty or Amazon EKS. Each AWS account will receive a 30-day free trial in each AWS region to evaluate this new capability. During the free trial period you can view your estimated EKS Protection spend in the GuardDuty console Usage page. You can suspend EKS Protection at any time in the Kubernetes Protection page in the GuardDuty console.
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess
This finding means that an API operation was successfully completed by the system:anonymous user. API calls made by system:anonymous are not authenticated. The observed API is typically associated with the credential access tactics where an adversary is trying to collect passwords, user names, and access keys for your Kubernetes cluster. This activity indicates that anonymous or unauthenticated access is allowed on the API action reported in the finding and may be allowed on other actions. If this behavior is not what was expected, it may indicate a configuration mistake or that your credentials have been compromised.
DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess
This means that an API operation was successfully invoked by the system:anonymous user. API calls made by system:anonymous are unauthenticated. The API is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised.
Discovery:Kubernetes/SuccessfulAnonymousAccess
The finding means that the system:anonymous user was able to successfully use an API operation. This is a problem because system:anonymous is an unauthenticated user, which means that anyone can use it. This means that anyone can access the API action reported in the finding, and possibly other actions as well. If this is not the intended behavior, it could be due to a configuration mistake or that your credentials have been compromised.
Impact:Kubernetes/SuccessfulAnonymousAccess
The finding tells you that an API operation was successfully invoked by the system:anonymous user. This means that the API calls made by system:anonymous are unauthenticated. The finding also says that the observed API is commonly associated with the impact stage of an attack. This means that if anonymous or unauthenticated access is permitted on the API action reported in the finding, it may be permitted on other actions.
Persistence:Kubernetes/SuccessfulAnonymousAccess
An API operation was successfully invoked by the system:anonymous user. This means that the API calls made by system:anonymous are unauthenticated. The observed API is commonly associated with the persistence tactics where an adversary has gained access to your cluster and is attempting to maintain that access. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised.
Policy:Kubernetes/AnonymousAccessGranted
A user has created a ClusterRoleBinding or RoleBinding that gives the system:anonymous user access to some API operations. This could be a mistake, or it could mean that someone’s credentials have been compromised.
Execution:Kubernetes/ExecInKubeSystemPod
A command was executed in a pod within the kube-system namespace using Kubernetes exec API. kube-system namespace is a default namespaces, which is used for system level components. It is uncommon to execute commands inside pods or containers under kube-system namespace and may indicate suspicious activity.
Persistence:Kubernetes/ContainerWithSensitiveMount
A container was launched with a configuration that included a sensitive host path with write access in the volumeMounts section. This makes the sensitive host path accessible and writable from inside the container. This technique is commonly used by adversaries to gain access to the host’s filesystem.
Policy:Kubernetes/AdminAccessToDefaultServiceAccount
Kubernetes creates a default service account for all the namespaces in the cluster and automatically assigns the default service account as an identity to pods that have not been explicitly associated to another service account. If the default service account has admin privileges, it may result in pods being unintentionally launched with admin privileges, which may indicate a configuration mistake or that your credentials are compromised.
Policy:Kubernetes/ExposedDashboard
The finding indicates that the Kubernetes dashboard for your cluster is accessible from the internet due to a Load Balancer service. This makes it possible for anyone to exploit any authentication and access control gaps that may be present.
Policy:Kubernetes/KubeflowDashboardExposed
The finding informs you that the Kubeflow dashboard for your cluster was exposed to the Internet by a Load Balancer service. This exposes the management interface of your Kubeflow environment to the Internet and allows adversaries to exploit any authentication and access control gaps that may be present.
PrivilegeEscalation:Kubernetes/PrivilegedContainer
This means that a container with root access was launched on your Kubernetes cluster using an image that has never been used to launch privileged containers before. This could be a privilege escalation tactic used by an adversary to gain access to and then compromise the host.
Network Detections
CredentialAccess:Kubernetes/MaliciousIPCaller
This message is telling you that someone has tried to access your Kubernetes cluster using a known malicious IP address. This IP address is associated with attempts to collect passwords, user names, and access keys.
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom
This finding means that someone tried to access your Kubernetes cluster using an IP address that’s on a threat list that you uploaded. The threat list associated with this finding is listed in the Additional Information section of a finding’s details. The API that was used is often associated with credential access, where someone is trying to get passwords, user names, and access keys for your Kubernetes cluster.
CredentialAccess:Kubernetes/TorIPCaller
The finding tells you that an API was called from a Tor exit node. The API is often used for getting passwords, user names, and access keys for environments. Tor is software that allows for anonymous communication. It encrypts communications and sends them through different relays to different network nodes. The last Tor node is called the exit node. This finding could mean that someone unauthorized accessed your Kubernetes cluster resources in order to hide their identity.
DefenseEvasion:Kubernetes/MaliciousIPCaller
This means that someone used an API in a way that suggests they were trying to evade detection. This is often done by adversaries who want to hide their actions.
DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom
This finding informs you that an API operation was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the Additional Information section of a finding’s details. The API observed is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection.
DefenseEvasion:Kubernetes/TorIPCaller
An API was invoked from a Tor exit node IP address, which is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. Tor is software that enables anonymous communication by encrypting and randomly bouncing communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Kubernetes cluster with the intent of hiding the adversary’s true identity.
Discovery:Kubernetes/MaliciousIPCaller
A recent API operation on your Kubernetes cluster was called from an IP address associated with known malicious activity. This operation is typically used during the discovery stage of an attack, when an attacker is gathering information to determine if your Kubernetes cluster is vulnerable to a more expansive attack.
Discovery:Kubernetes/MaliciousIPCaller.Custom
An API was invoked from an IP address that is included on a threat list. The threat list is associated with this finding. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack.
Discovery:Kubernetes/TorIPCaller
An API was invoked from a Tor exit node IP address, which is commonly used in the discovery stage of an attack to determine if a Kubernetes cluster is susceptible to a broader attack. This indicates unauthorized access to the Kubernetes cluster with the intent of hiding the adversary’s true identity.
Impact:Kubernetes/MaliciousIPCaller
An API operation was invoked from an IP address that is associated with known malicious activity, which is likely an attempt to manipulate, interrupt, or destroy data within the AWS environment.
Impact:Kubernetes/MaliciousIPCaller.Custom
This means that someone has tried to access your AWS environment from an IP address that is on a threat list. The threat list is in the Additional Information section of the finding’s details. The API that was accessed is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.
Impact:Kubernetes/TorIPCaller
The finding suggests that an API was invoked from a Tor exit node IP address, which is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within an AWS environment.
Persistence:Kubernetes/MaliciousIPCaller
This means that someone has accessed your Kubernetes cluster from an IP address that is associated with known malicious activity, and they are likely trying to maintain that access.
Persistence:Kubernetes/MaliciousIPCaller.Custom
The finding informs you that an API operation was invoked from an IP address that is included on a threat list. The threat list is associated with this finding and is listed in the Additional Information section of a finding’s details. The API operation is commonly associated with persistence tactics where an adversary has gained access to your Kubernetes cluster and is attempting to maintain that access.
Persistence:Kubernetes/TorIPCaller
The finding suggests that someone has accessed your AWS resources through the Tor network in order to conceal their identity. This could indicate that the person is trying to maintain access to your Kubernetes cluster and is using tactics associated with keeping access to a system.
