EKS Authentication Configuration Modified

Status: production
Severity: high
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098.006` Account Manipulation: Additional Container Cluster Roles
Privilege Escalation	`T1098.006` Account Manipulation: Additional Container Cluster Roles

Event coverage

Provider	Event	Title
Kubernetes-configmaps	update-configmaps	update configmaps
Kubernetes-configmaps	patch-configmaps	patch configmaps
Kubernetes-configmaps	delete-configmaps	delete configmaps

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Kubernetes CoreDNS or Kube-DNS Configuration Modified (Elastic)
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy (Elastic)

Rule body elastic

[metadata]
creation_date = "2026/05/06"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/05/06"

[rule]
author = ["Elastic"]
description = """
Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and
users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a
mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node
replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects.
Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and
updated only during node group or access configuration changes.
"""
false_positives = [
    """
    Legitimate node group lifecycle, cluster upgrades, or infrastructure-as-code (Terraform, CloudFormation, eksctl) may
    update aws-auth during expected change windows. Baseline automation identities and expand exclusions beyond
    eks:kms-storage-migrator if your environment uses additional known controllers.
    """,
]
from = "now-9m"
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "EKS Authentication Configuration Modified"
note = """## Triage and analysis

### Investigating EKS Authentication Configuration Modified

Confirm who changed the mapping (user.name, groups, source.ip, user_agent.original) and whether the change aligns with
approved cluster or node-group operations. Compare the new aws-auth mapRoles/mapUsers content to the prior revision if
request/response capture is available in audit.

### Possible investigation steps

- Identify any new IAM role ARNs or users bound to system:masters or other privileged Kubernetes groups.
- Correlate the timestamp with AWS CloudTrail for related EKS or IAM API activity and with GitOps or pipeline commits.
- Review subsequent API activity from newly mapped IAM principals for secret access, RBAC changes, or workload deployment.
- If Access Entries are enabled, also review CloudTrail for eks:CreateAccessEntry, eks:AssociateAccessPolicy, and similar
  API calls around the same window.

### Response and remediation

- If unauthorized, revert aws-auth from a known-good backup, remove rogue map entries, and rotate or restrict IAM that
  could have performed the change.
- Audit IAM policies that allow eks:UpdateClusterConfig or broad ConfigMap write access to kube-system.
- Escalate per incident policy when system:masters mappings appear from unexpected IAM identities.
"""
references = [
    "https://docs.aws.amazon.com/eks/latest/userguide/auth-configmap.html",
    "https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html"
]
risk_score = 73
rule_id = "5202697c-313b-4bf0-9029-73fe78cd4b6d"
severity = "high"
tags = [
    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Tactic: Privilege Escalation",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"configmaps" and 
kubernetes.audit.objectRef.name:"aws-auth" and 
kubernetes.audit.verb:("update" or "patch" or "delete") and 
kubernetes.audit.objectRef.namespace:"kube-system" and 
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:"eks:kms-storage-migrator"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.006"
name = "Additional Container Cluster Roles"
reference = "https://attack.mitre.org/techniques/T1098/006/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.006"
name = "Additional Container Cluster Roles"
reference = "https://attack.mitre.org/techniques/T1098/006/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

Stages and Predicates

Stage 1: `query`

data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"configmaps" and 
kubernetes.audit.objectRef.name:"aws-auth" and 
kubernetes.audit.verb:("update" or "patch" or "delete") and 
kubernetes.audit.objectRef.namespace:"kube-system" and 
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:"eks:kms-storage-migrator"

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`user.name`	eq	`eks:kms-storage-migrator`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`kubernetes.audit_logs`
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`
`kubernetes.audit.objectRef.name`	eq	`aws-auth`
`kubernetes.audit.objectRef.namespace`	eq	`kube-system`
`kubernetes.audit.objectRef.resource`	eq	`configmaps`
`kubernetes.audit.verb`	in	`delete` `patch` `update`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

EKS Authentication Configuration Modified

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Exclusions

Indicators

Keyboard shortcuts

Search operators

EKS Authentication Configuration Modified

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Exclusions

Indicators

Stage 1: `query`