Elastic Security Detection Rules

AWS EKS Access Entry Granted Cluster Admin Policy

Last updated 9 days ago on 2026-05-06
Created 9 days ago on 2026-05-06

About

Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS Access Entries API. This grants full cluster-admin equivalent access to the specified IAM user or role. Unlike the legacy aws-auth ConfigMap which is only visible in Kubernetes audit logs, Access Entries modifications appear in CloudTrail, providing an additional detection surface. Attackers who have obtained IAM permissions to manage EKS access entries can use this API to backdoor cluster access for persistence, mapping attacker-controlled IAM identities to cluster-admin privileges without modifying any Kubernetes resources.
Tags
Domain: CloudDomain: KubernetesData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: Privilege EscalationTactic: PersistenceLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Platform or security teams may legitimately associate these policies during cluster onboarding, break-glass admin setup, or controlled RBAC migrations from aws-auth. Validate the caller, change ticket, and target IAM principal.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"aws.cloudtrail" and
event.provider:"eks.amazonaws.com" and
event.action:"AssociateAccessPolicy" and
event.outcome:"success" and
aws.cloudtrail.request_parameters:(*AmazonEKSClusterAdminPolicy* or *AmazonEKSAdminPolicy*)

Install detection rules in Elastic Security

Detect AWS EKS Access Entry Granted Cluster Admin Policy in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).