Amazon Elastic Kubernetes Service AWS-eks

9 operations, identified by eventName in the audit log.

eventName	Description
_catch_all	Catch-all entry for AWS-eks rules that match the service but not a specific eventName.
AssociateAccessPolicy	Associates an access policy with an EKS access entry, granting the specified Kubernetes permissions scoped to a cluster or namespace.
CreateAccessEntry	Creates an access entry that maps an IAM principal to Kubernetes permissions within an EKS cluster.
CreateCluster	Creates a new Amazon EKS Kubernetes control plane cluster with the specified configuration.
DeleteAccessEntry	Deletes an access entry, removing the associated IAM principal's Kubernetes access to the cluster.
DeleteCluster	Deletes an Amazon EKS cluster and its associated control plane resources.
DisassociateAccessPolicy	Removes a previously associated access policy from an EKS access entry, revoking the corresponding Kubernetes permissions.
UpdateAccessEntry	Updates the Kubernetes groups or username associated with an existing EKS access entry.
UpdateClusterConfig	Updates the configuration of an existing EKS cluster, such as endpoint access settings, logging, or authentication mode.

_catch_all: AWS-eks (catch-all)

Service: AWS-eks

Description

Catch-all entry for AWS-eks rules that match the service but not a specific eventName.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

AssociateAccessPolicy

Service: AWS-eks

Description

Associates an access policy with an EKS access entry, granting the specified Kubernetes permissions scoped to a cluster or namespace.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`eks.amazonaws.com`	2 rules	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EKS Access Entry Modified source medium: Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.↳ also matches CreateAccessEntry, DeleteAccessEntry, DisassociateAccessPolicy, UpdateAccessEntry
AWS EKS Access Entry Granted Cluster Admin Policy source high: Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS Access Entries API. This grants full cluster-admin equivalent access to the specified IAM user or role. Unlike the legacy aws-auth ConfigMap which is only visible in Kubernetes audit logs, Access Entries modifications appear in CloudTrail, providing an additional detection surface. Attackers who have obtained IAM permissions to manage EKS access entries can use this API to backdoor cluster access for persistence, mapping attacker-controlled IAM identities to cluster-admin privileges without modifying any Kubernetes resources.

CreateAccessEntry

Service: AWS-eks

Description

Creates an access entry that maps an IAM principal to Kubernetes permissions within an EKS cluster.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`eks.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EKS Access Entry Modified source medium: Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.↳ also matches AssociateAccessPolicy, DeleteAccessEntry, DisassociateAccessPolicy, UpdateAccessEntry

CreateCluster

Service: AWS-eks

Description

Creates a new Amazon EKS Kubernetes control plane cluster with the specified configuration.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

AWS EKS Cluster Created or Deleted source low: Identifies when an EKS cluster is created or deleted.↳ also matches DeleteCluster

DeleteAccessEntry

Service: AWS-eks

Description

Deletes an access entry, removing the associated IAM principal's Kubernetes access to the cluster.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`eks.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EKS Access Entry Modified source medium: Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.↳ also matches AssociateAccessPolicy, CreateAccessEntry, DisassociateAccessPolicy, UpdateAccessEntry

DeleteCluster

Service: AWS-eks

Description

Deletes an Amazon EKS cluster and its associated control plane resources.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

AWS EKS Cluster Created or Deleted source low: Identifies when an EKS cluster is created or deleted.↳ also matches CreateCluster

DisassociateAccessPolicy

Service: AWS-eks

Description

Removes a previously associated access policy from an EKS access entry, revoking the corresponding Kubernetes permissions.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`eks.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EKS Access Entry Modified source medium: Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.↳ also matches AssociateAccessPolicy, CreateAccessEntry, DeleteAccessEntry, UpdateAccessEntry

UpdateAccessEntry

Service: AWS-eks

Description

Updates the Kubernetes groups or username associated with an existing EKS access entry.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`eks.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EKS Access Entry Modified source medium: Detects successful Amazon EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes to access entries alter who can authenticate to Kubernetes and what Kubernetes-level permissions they receive, without requiring edits to in-cluster RBAC objects. Unexpected callers or timing may indicate persistence or privilege abuse. Common automation identities (service-linked roles, eksctl, Terraform, CloudFormation role patterns) are excluded to reduce noise; tune further for your deployment pipelines.↳ also matches AssociateAccessPolicy, CreateAccessEntry, DeleteAccessEntry, DisassociateAccessPolicy

UpdateClusterConfig

Service: AWS-eks

Description

Updates the configuration of an existing EKS cluster, such as endpoint access settings, logging, or authentication mode.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`eks.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EKS Control Plane Logging Disabled source medium: Detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging. Disabling EKS API server and control plane logs can reduce visibility into cluster activity and may indicate defense evasion following compromised AWS credentials or unauthorized administrative access. EKS control plane logging changes are typically rare and should align with approved maintenance or cost optimization workflows.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)