This detection rule is designed to identify potentially unauthorized access to sensitive objects within an AWS EKS (Elastic Kubernetes Service) Kubernetes cluster, specifically focusing on resources such as secrets and configmaps. The search utilizes logs from AWS CloudWatch to filter out internal IP addresses (loopback addresses) from the source IPs accessing these sensitive resources. It compiles information such as the user accessing the resource, the groups they belong to, the specific resource accessed, and the namespace it resides in. By utilizing a deduplication step on usernames and user groups, it ensures clarity in identifying unique access instances. Although this rule may flag certain access instances, it's important to note that access to secrets or configmaps is not inherently malicious. Thus, the user and context should be thoroughly analyzed before concluding any malicious intent.