Guard Duty detecting malicious caller ip to EKS cluster via /version

Question

Hi Everyone,

I am working for a bank and few days ago i am getting alerts in guard duty that there are malicious caller calling /version from US and Amsterdam.

Message is "A Kubernetes API commonly used in Discovery Tactics was invoked on cluster XXXX from a known malicious IP ...."

The thing is the EKS is within private VPC for at least 5 years and I can only access through a bastion within the bank. We have never seen such message before until a few days ago.

Anyone has any ideas? If the guard duty is capturing IP from like US and Amsterdam, does it mean that somehow someone is accessing the EKS directly from the internet?

Regards,
CK

Adeleke Adebowale .J. · Answer

Ensure that the "Private access" option is enabled. This means the Kubernetes API endpoint is accessible only within your VPC.

CK · Answer

So I recently dug this project from grave and just notice that the k8s api might be publicly enabled... but still within 4 days someone from amsterdam manage to find the api address and call /version.

Oleksii Bebych · Answer

Check the control plane logs of your EKS

Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters. You can select the exact log types you need, and logs are sent as log streams to a group for each Amazon EKS cluster in CloudWatch.

https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html

Guard Duty detecting malicious caller ip to EKS cluster via /version

Add your answer

Relevant content