Backdoor aws-auth EKS ConfigMap
Platform: EKS
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Backdoors the aws-auth ConfigMap in an EKS cluster to grant access to the cluster to a specific role.
Warm-up:
- Create an IAM role
Detonation:
- Add an entry to the aws-auth ConfigMap to grant administrator access to the cluster to the role
References:
- https://securitylabs.datadoghq.com/articles/amazon-eks-attacking-securing-cloud-identities/#authorization-the-aws-auth-configmap-deprecated
- https://docs.aws.amazon.com/eks/latest/userguide/auth-configmap.html
Instructions
Detection
Through EKS API Server audit logs, by looking for changes to the aws-auth ConfigMap in the kube-system namespace. Here's what a relevant audit event looks like:
{
"objectRef": {
"apiVersion": "v1",
"resource": "configmaps",
"name": "aws-auth"
},
"requestURI": "/api/v1/namespaces/kube-system/configmaps/aws-auth",
"requestObject": {
"metadata": {
"resourceVersion": "184358280",
"name": "aws-auth",
"namespace": "kube-system",
"creationTimestamp": "2022-07-20T13:13:30Z"
},
"apiVersion": "v1",
"data": {
"mapRoles": "- groups:\n - system:masters\n rolearn: arn:aws:iam::012345678901:role/account-admin\n username: cluster-admin-{{SessionName}}\n- groups:\n - system:bootstrappers\n - system:nodes\n rolearn: arn:aws:iam::012345678901:role/eksctl-cluser-NodeInstanceRole\n username: system:node:{{EC2PrivateDNSName}}\n- groups:\n - system:masters\n rolearn: arn:aws:iam::012345678901:role/stratus-red-team-eks-backdoor-aws-auth-role\n username: backdoor\n"
},
"kind": "ConfigMap"
}
}