Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with an IAM principal via the EKS Access Entries API (AssociateAccessPolicy). Such associations grant cluster-admin–equivalent access to an IAM user or role, enabling persistence or privilege escalation without modifying Kubernetes resources. CloudTrail records of Access Entries modifications provide visibility beyond the legacy aws-auth ConfigMap. The rule aids in identifying attackers who obtain IAM permissions to manage EKS access entries and backdoor cluster access. The content includes triage guidance, investigation steps, and remediation recommendations. False positives may occur during legitimate onboarding or controlled migrations; validate caller, target principal, and change context. Potential responses include disassociating the policy, auditing IAM API access (eks:*), rotating credentials, and reviewing SCPs and cluster auth mode. References to AWS EKS access entries and AssociateAccessPolicy are provided for deep-dive remediation and validation.