Detects successful AWS EKS Access Entries API operations that create, update, attach, detach, or delete authentication mappings between IAM principals and the cluster. Changes alter who can authenticate to Kubernetes and what permissions they have, without editing in-cluster RBAC. The rule filters out common automation callers (service-linked roles, eksctl, Terraform, CloudFormation) to reduce noise; tune exclusions for your deployment pipelines. It looks for CloudTrail events from eks.amazonaws.com with actions CreateAccessEntry, AssociateAccessPolicy, UpdateAccessEntry, DisassociateAccessPolicy, DeleteAccessEntry and requires a successful outcome. The detection window is last 6 minutes. Triage uses fields such as aws.cloudtrail.user_identity.arn, user.name, source.ip, user_agent.original, cloud.account.id, cloud.region to map actor and context, and maps actions to intent (new principal, policy binding changes, metadata updates, removal). Investigations should inspect request_parameters and response_elements for cluster name and policy ARNs; correlate with infrastructure-change windows and Kubernetes audit logs; pair with EKS Access Entry Granted Cluster Admin Policy for higher fidelity when AssociateAccessPolicy fires. Remediation includes reverting unauthorized entries via AWS APIs, rotating credentials for affected principals, and tightening eks:* permissions and SCPs. This rule aligns to MITRE ATT&CK: Account Manipulation (T1098) including Additional Container Cluster Roles (T1098.006) under Persistence (TA0003) and Privilege Escalation (TA0004).