Guide to AWS GuardDuty findings in EKS

CredentialAccess:Kubernetes/SuccessfulAnonymousAccess

This finding means that an API operation was successfully completed by the system:anonymous user. API calls made by system:anonymous are not authenticated. The observed API is typically associated with the credential access tactics where an adversary is trying to collect passwords, user names, and access keys for your Kubernetes cluster. This activity indicates that anonymous or unauthenticated access is allowed on the API action reported in the finding and may be allowed on other actions. If this behavior is not what was expected, it may indicate a configuration mistake or that your credentials have been compromised.

DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess

This means that an API operation was successfully invoked by the system:anonymous user. API calls made by system:anonymous are unauthenticated. The API is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised.

Discovery:Kubernetes/SuccessfulAnonymousAccess

The finding means that the system:anonymous user was able to successfully use an API operation. This is a problem because system:anonymous is an unauthenticated user, which means that anyone can use it. This means that anyone can access the API action reported in the finding, and possibly other actions as well. If this is not the intended behavior, it could be due to a configuration mistake or that your credentials have been compromised.

Impact:Kubernetes/SuccessfulAnonymousAccess

The finding tells you that an API operation was successfully invoked by the system:anonymous user. This means that the API calls made by system:anonymous are unauthenticated. The finding also says that the observed API is commonly associated with the impact stage of an attack. This means that if anonymous or unauthenticated access is permitted on the API action reported in the finding, it may be permitted on other actions.

Persistence:Kubernetes/SuccessfulAnonymousAccess

An API operation was successfully invoked by the system:anonymous user. This means that the API calls made by system:anonymous are unauthenticated. The observed API is commonly associated with the persistence tactics where an adversary has gained access to your cluster and is attempting to maintain that access. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised.

Policy:Kubernetes/AnonymousAccessGranted

A user has created a ClusterRoleBinding or RoleBinding that gives the system:anonymous user access to some API operations. This could be a mistake, or it could mean that someone’s credentials have been compromised.

Execution:Kubernetes/ExecInKubeSystemPod

A command was executed in a pod within the kube-system namespace using Kubernetes exec API. kube-system namespace is a default namespaces, which is used for system level components. It is uncommon to execute commands inside pods or containers under kube-system namespace and may indicate suspicious activity.

Persistence:Kubernetes/ContainerWithSensitiveMount

A container was launched with a configuration that included a sensitive host path with write access in the volumeMounts section. This makes the sensitive host path accessible and writable from inside the container. This technique is commonly used by adversaries to gain access to the host’s filesystem.

Policy:Kubernetes/AdminAccessToDefaultServiceAccount

Kubernetes creates a default service account for all the namespaces in the cluster and automatically assigns the default service account as an identity to pods that have not been explicitly associated to another service account. If the default service account has admin privileges, it may result in pods being unintentionally launched with admin privileges, which may indicate a configuration mistake or that your credentials are compromised.

Policy:Kubernetes/ExposedDashboard

The finding indicates that the Kubernetes dashboard for your cluster is accessible from the internet due to a Load Balancer service. This makes it possible for anyone to exploit any authentication and access control gaps that may be present.

Policy:Kubernetes/KubeflowDashboardExposed

The finding informs you that the Kubeflow dashboard for your cluster was exposed to the Internet by a Load Balancer service. This exposes the management interface of your Kubeflow environment to the Internet and allows adversaries to exploit any authentication and access control gaps that may be present.

PrivilegeEscalation:Kubernetes/PrivilegedContainer

This means that a container with root access was launched on your Kubernetes cluster using an image that has never been used to launch privileged containers before. This could be a privilege escalation tactic used by an adversary to gain access to and then compromise the host.

CredentialAccess:Kubernetes/MaliciousIPCaller

This message is telling you that someone has tried to access your Kubernetes cluster using a known malicious IP address. This IP address is associated with attempts to collect passwords, user names, and access keys.

CredentialAccess:Kubernetes/MaliciousIPCaller.Custom

This finding means that someone tried to access your Kubernetes cluster using an IP address that’s on a threat list that you uploaded. The threat list associated with this finding is listed in the Additional Information section of a finding’s details. The API that was used is often associated with credential access, where someone is trying to get passwords, user names, and access keys for your Kubernetes cluster.

CredentialAccess:Kubernetes/TorIPCaller

The finding tells you that an API was called from a Tor exit node. The API is often used for getting passwords, user names, and access keys for environments. Tor is software that allows for anonymous communication. It encrypts communications and sends them through different relays to different network nodes. The last Tor node is called the exit node. This finding could mean that someone unauthorized accessed your Kubernetes cluster resources in order to hide their identity.

DefenseEvasion:Kubernetes/MaliciousIPCaller

This means that someone used an API in a way that suggests they were trying to evade detection. This is often done by adversaries who want to hide their actions.

DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom

This finding informs you that an API operation was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the Additional Information section of a finding’s details. The API observed is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection.

DefenseEvasion:Kubernetes/TorIPCaller

An API was invoked from a Tor exit node IP address, which is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. Tor is software that enables anonymous communication by encrypting and randomly bouncing communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Kubernetes cluster with the intent of hiding the adversary’s true identity.

Discovery:Kubernetes/MaliciousIPCaller

A recent API operation on your Kubernetes cluster was called from an IP address associated with known malicious activity. This operation is typically used during the discovery stage of an attack, when an attacker is gathering information to determine if your Kubernetes cluster is vulnerable to a more expansive attack.

Discovery:Kubernetes/MaliciousIPCaller.Custom

An API was invoked from an IP address that is included on a threat list. The threat list is associated with this finding. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack.

Discovery:Kubernetes/TorIPCaller

An API was invoked from a Tor exit node IP address, which is commonly used in the discovery stage of an attack to determine if a Kubernetes cluster is susceptible to a broader attack. This indicates unauthorized access to the Kubernetes cluster with the intent of hiding the adversary’s true identity.

Impact:Kubernetes/MaliciousIPCaller

An API operation was invoked from an IP address that is associated with known malicious activity, which is likely an attempt to manipulate, interrupt, or destroy data within the AWS environment.

Impact:Kubernetes/MaliciousIPCaller.Custom

This means that someone has tried to access your AWS environment from an IP address that is on a threat list. The threat list is in the Additional Information section of the finding’s details. The API that was accessed is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.

Impact:Kubernetes/TorIPCaller

The finding suggests that an API was invoked from a Tor exit node IP address, which is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within an AWS environment.

Persistence:Kubernetes/MaliciousIPCaller

This means that someone has accessed your Kubernetes cluster from an IP address that is associated with known malicious activity, and they are likely trying to maintain that access.

Persistence:Kubernetes/MaliciousIPCaller.Custom

The finding informs you that an API operation was invoked from an IP address that is included on a threat list. The threat list is associated with this finding and is listed in the Additional Information section of a finding’s details. The API operation is commonly associated with persistence tactics where an adversary has gained access to your Kubernetes cluster and is attempting to maintain that access.

Persistence:Kubernetes/TorIPCaller

The finding suggests that someone has accessed your AWS resources through the Tor network in order to conceal their identity. This could indicate that the person is trying to maintain access to your Kubernetes cluster and is using tactics associated with keeping access to a system.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store