Full Report
We explore how advancements in EKS Access Entries and Pod Identity have opened new attack vectors and offer examples of how adversaries could exploit them.
Analysis Summary
# Tool/Technique: EKS Access Entries and Policies Exploitation
## Overview
This summary details adversary TTPs related to exploiting the new AWS EKS features: **EKS Access Entries and Policies** and **EKS Pod Identity**. These features simplify IAM identity authentication to EKS clusters and application authentication for accessing AWS resources. Adversaries can leverage compromised IAM identities to enumerate cluster access, escalate privileges within the cloud (IAM) and Kubernetes (RBAC), and potentially sniff credentials in Pod Identity interactions, facilitating lateral movement between the cloud and the cluster.
## Technical Details
- Type: Technique (Exploitation of newly introduced cloud service features)
- Platform: AWS EKS (Kubernetes on AWS)
- Capabilities: Enumeration of cluster access, privilege escalation (IAM/RBAC), credential sniffing via Pod Identity Agent interaction.
- First Seen: Post-release of EKS Access Entries and Pod Identity features (Specific date not provided in the text, but tied to AWS EKS updates).
## MITRE ATT&CK Mapping
This analysis covers multiple post-exploitation and defense evasion tactics:
- **TA0007 - Privilege Escalation**
- T1078.004 - Valid Accounts: Cloud Accounts
- T1548.002 - Bypass User Account Control: Accomplish via Elevated or Malicious Software (Implicit via gaining higher RBAC/IAM role)
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal on Host (Implicit, aiming to hide activity)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Implicitly moving access from cloud identity to cluster resources)
- **TA0003 - Persistence** (If an attacker maintains access via a newly created Access Entry)
- **TA0001 - Initial Access** (If the initial compromise was an existing cloud identity)
- **TA0004 - Privilege Escalation**
- T1078.004 - Valid Accounts: Cloud Accounts
- **TA0007 - Discovery**
- T1087.004 - Account Discovery: Cloud Accounts
## Functionality
### Core Capabilities
1. **Cluster and Policy Enumeration (Post-Compromise):** Using compromised IAM identities, attackers can query metadata about reachable EKS clusters and the Kubernetes permissions assigned to their principal ARN via EKS Access Policies.
* API calls used: `sts:GetCallerIdentity`, `eks:ListClusters`, `eks:DescribeAccessEntry`, `eks:ListAssociatedAccessPolicies`, `eks:DescribeCluster`.
2. **Privilege Escalation (IAM Level):** An attacker controlling an IAM principal possessing `eks:CreateAccessEntry` and `eks:AssociateAccessPolicy` can grant themselves high-privileged cluster access (e.g., mapping to `cluster-admin`) in any accessible cluster.
### Advanced Features
1. **Kubernetes RBAC Escalation:** Leveraging knowledge of default policy mappings (`AmazonEKSClusterAdminPolicy` -> `cluster-admin`, etc.) to determine effective permissions or chaining access policies to gain higher RBAC roles within the cluster.
2. **Pod Identity Credential Sniffing:** In configurations utilizing **EKS Pod Identity**, an attacker who compromises a pod can monitor network traffic to the **Pod Identity Agent** (IP `169.254.170.23`). By capturing traffic (e.g., using `tcpdump`), they can observe the compromised pod's JWT token being exchanged for plaintext IAM credentials (AccessKeyId, SecretAccessKey, Token). These retrieved credentials can then be used to execute cloud actions as the associated IAM role.
## Indicators of Compromise
- File Hashes: N/A (Focus is on API usage and behavior)
- File Names: `output.cap` (Example capture file name from network analysis)
- Registry Keys: N/A
- Network Indicators:
- **Pod Identity Agent Endpoint:** `169.254.170.23` (Internal IP used by the agent inside the host network)
- **Example Pod IP:** `172.31.15.77` (Source of credential sniffing attempt)
- Behavioral Indicators:
- Excessive use of AWS EKS metadata APIs (`DescribeAccessEntry`, `ListAssociatedAccessPolicies`) originating from a compromised IAM identity.
- Network traffic originating from a pod directed at the metadata service IP `169.254.170.23` containing HTTP GET requests with JWT tokens in the authorization header.
## Associated Threat Actors
- General Adversaries attempting Cloud to Cluster Lateral Movement (The techniques are based on novel cloud features, suggesting targeted attacks against organizations using new EKS deployments).
## Detection Methods
- Signature-based detection: Not directly applicable to API calls unless specific unusual sequences are monitored.
- Behavioral detection: Monitoring AWS CloudTrail for unusual sequences of EKS enumeration APIs (`eks:ListClusters`, `eks:DescribeAccessEntry`) following an identity compromise. Monitoring network flow logs for internal traffic targeting the Pod Identity Agent IP (`169.254.170.23`) from unexpected pod sources.
- YARA rules: Not applicable for this framework exploitation summary.
## Mitigation Strategies
- **Principle of Least Privilege (PoLP):** Ensure that IAM identities (users/roles) used for EKS access only possess the bare minimum permissions required, severely limiting the scope of enumeration/escalation.
- **Restrict High-Privilege Policy Association:** Treat `eks:CreateAccessEntry` and `eks:AssociateAccessPolicy` as extremely sensitive actions, limiting which principals can execute them.
- **Prefer IRSA over Pod Identity (Mitigation for Credential Sniffing):** While Pod Identity is newer, using the older **IAM Roles for Service Accounts (IRSA)** mechanism prevents the plaintext exchange of JWT for static credentials via the network agent, as IRSA uses `sts:AssumeRoleWithWebIdentity` directly, mitigating the sniffing vector detailed.
- **Network Segmentation:** Strictly control network flow within the cluster nodes to limit pod-to-pod or pod-to-host-internal-services communication, making it harder to reach the Pod Identity Agent endpoint.
## Related Tools/Techniques
- **IRSA (IAM Roles for Service Accounts):** The alternative approach that offers better security against the Pod Identity sniffing vector.
- **`sts:AssumeRoleWithWebIdentity`:** The API call leveraged by IRSA.
- **Kubernetes RBAC:** The underlying authorization mechanism being manipulated.