← Back to Explore
elastichighTTP
AWS EKS Access Entry Granted Cluster Admin Policy
Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS Access Entries API. This grants full cluster-admin equivalent access to the specified IAM user or role. Unlike the legacy aws-auth ConfigMap which is only visible in Kubernetes audit logs, Access Entries modifications appear in CloudTrail, providing an additional detection surface. Attackers who have obtained IAM permissions to manage EKS access entries can use this API to backdoor cluster access for persistence, mapping attacker-controlled IAM identities to cluster-admin privileges without modifying any Kubernetes resources.
Detection Query
data_stream.dataset:"aws.cloudtrail" and
event.provider:"eks.amazonaws.com" and
event.action:"AssociateAccessPolicy" and
event.outcome:"success" and
aws.cloudtrail.request_parameters:(*AmazonEKSClusterAdminPolicy* or *AmazonEKSAdminPolicy*)
Author
Elastic
Created
2026/05/06
Data Sources
AWSAmazon Web ServicesAWS CloudTrailfilebeat-*logs-aws.cloudtrail-*
References
Tags
Domain: CloudDomain: KubernetesData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: Privilege EscalationTactic: PersistenceResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/05/06"
integration = ["aws"]
maturity = "production"
updated_date = "2026/05/06"
[rule]
author = ["Elastic"]
description = """
Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS
Access Entries API. This grants full cluster-admin equivalent access to the specified IAM user or role. Unlike the
legacy aws-auth ConfigMap which is only visible in Kubernetes audit logs, Access Entries modifications appear in
CloudTrail, providing an additional detection surface. Attackers who have obtained IAM permissions to manage EKS
access entries can use this API to backdoor cluster access for persistence, mapping attacker-controlled IAM
identities to cluster-admin privileges without modifying any Kubernetes resources.
"""
false_positives = [
"""
Platform or security teams may legitimately associate these policies during cluster onboarding, break-glass admin
setup, or controlled RBAC migrations from aws-auth. Validate the caller, change ticket, and target IAM principal.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS EKS Access Entry Granted Cluster Admin Policy"
note = """## Triage and analysis
### Investigating AWS EKS Access Entry Granted Cluster Admin Policy
Successful AssociateAccessPolicy with AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy binds highly privileged
Kubernetes access to an IAM principal. Review who invoked the API (user.name, aws.cloudtrail.user_identity fields),
source.ip, user_agent.original, cloud.account.id, and cloud.region.
### Possible investigation steps
- Parse aws.cloudtrail.request_parameters and response elements for cluster name, access entry ARN, and policy ARN.
- Confirm whether the IAM principal receiving the policy is expected to have cluster-admin-class access.
- Correlate with other EKS API calls (CreateAccessEntry, UpdateAccessEntry) and with Kubernetes audit activity from
newly authorized principals.
- Compare against change records for migrations from aws-auth or new administrator onboarding.
### Response and remediation
- If unauthorized, disassociate the policy or remove the access entry per AWS guidance; audit who can call eks:*
APIs in IAM.
- Rotate credentials for any suspected compromised IAM principal; review organizational SCPs and cluster auth mode.
### Additional information
- [Amazon EKS access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html)
- [AssociateAccessPolicy](https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateAccessPolicy.html)
"""
references = [
"https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html",
"https://docs.aws.amazon.com/eks/latest/APIReference/API_AssociateAccessPolicy.html",
]
risk_score = 73
rule_id = "9550ec87-e73c-4baa-ad44-e448a33fbc3d"
severity = "high"
tags = [
"Domain: Cloud",
"Domain: Kubernetes",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS CloudTrail",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Persistence",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"aws.cloudtrail" and
event.provider:"eks.amazonaws.com" and
event.action:"AssociateAccessPolicy" and
event.outcome:"success" and
aws.cloudtrail.request_parameters:(*AmazonEKSClusterAdminPolicy* or *AmazonEKSAdminPolicy*)
'''
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements",
]
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.006"
name = "Additional Container Cluster Roles"
reference = "https://attack.mitre.org/techniques/T1098/006/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.006"
name = "Additional Container Cluster Roles"
reference = "https://attack.mitre.org/techniques/T1098/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"