Kubernetes AWS detect sensitive role access

Name:Kubernetes AWS detect sensitive role access
id:b6013a7b-85e0-4a45-b051-10b252d69569
version:5
date:2024-11-14
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets
Data_source:

search:`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1
| table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason
| dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`

how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.
known_false_positives:Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Role Activity'
  asset_type:AWS EKS Kubernetes cluster
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:threat

tests:
  :
manual_test:None