Elastic Security Detection Rules

AWS EKS Access Entry Modified

Last updated 9 days ago on 2026-05-06
Created 9 days ago on 2026-05-06

About

Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.
Tags
Domain: CloudDomain: KubernetesData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: PersistenceTactic: Privilege EscalationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Cluster provisioning, GitOps, or approved platform automation may perform these APIs under IAM principals whose ARNs do not match the exclusion patterns. Baseline expected roles and expand exclusions if needed.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"aws.cloudtrail" and event.provider:"eks.amazonaws.com" and
event.action:("CreateAccessEntry" or "AssociateAccessPolicy" or "UpdateAccessEntry" or "DisassociateAccessPolicy" or "DeleteAccessEntry") and
event.outcome:"success" and
not aws.cloudtrail.user_identity.arn:(*AWSServiceRoleForAmazonEKS* or *eksctl* or *terraform* or *AWSCloudFormation*)

Install detection rules in Elastic Security

Detect AWS EKS Access Entry Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).