AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

How to know from which Pod DNS request is originated?

0

I am using AWS GuardDuty and EKS. Recently I got couple of alerts from AWS GuardDuty for DefenseEvasion:EC2/UnusualDNSResolver mentioning one of the EKS nodes are connecting to 1.1.1.1. When I check the running pods in the node, I couldn't find any pods suspicious.

Is there a way to identify which pod or which process is exactly making the request to public DNS server?

トピック
セキュリティ、アイデンティティ、コンプライアンスコンテナAWS Well-Architected Frameworkネットワークとコンテンツ配信
タグ
Amazon GuardDutyAmazon Elastic Kubernetes Serviceセキュリティドメインネームシステム (DNS)
言語
English
Karthikeyan Sundararajan
質問済み 1年前519ビュー
1回答
4

Because the data source of GuardDuty finding DefenseEvasion:EC2/UnusualDNSResolver is VPC flow logs[1], so you can firstly collect the VPC flow logs into S3 [2] to trace the events (which is not collected by default), the query tool for VPC flow logs could be Athena[3] (using SQL), and then figure out which and when the source IP address(s) of EC2 instance and Pod established connection to 1.1.1.1 [4].

[1] https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver
[2] https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html
[3] https://aws.amazon.com/blogs/networking-and-content-delivery/analyze-vpc-flow-logs-with-point-and-click-amazon-athena-integration/
[4] https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-flow-logs-to-capture-and-query-eks-network-communications/

AWS
Bard Lan
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ