Elastic Security Detection Rules

EKS Authentication Configuration Modified

Last updated 9 days ago on 2026-05-06
Created 9 days ago on 2026-05-06

About

Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: PersistenceTactic: Privilege EscalationLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Legitimate node group lifecycle, cluster upgrades, or infrastructure-as-code (Terraform, CloudFormation, eksctl) may update aws-auth during expected change windows. Baseline automation identities and expand exclusions beyond eks:kms-storage-migrator if your environment uses additional known controllers.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"configmaps" and 
kubernetes.audit.objectRef.name:"aws-auth" and 
kubernetes.audit.verb:("update" or "patch" or "delete") and 
kubernetes.audit.objectRef.namespace:"kube-system" and 
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:"eks:kms-storage-migrator"

Install detection rules in Elastic Security

Detect EKS Authentication Configuration Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).