This detection rule identifies potential unauthorized scanning activities directed at an Amazon EKS Kubernetes cluster by monitoring unauthenticated requests from the `system:anonymous` user. Utilizing AWS CloudWatch Logs, it specifically examines user agents and authentication details to ascertain whether such requests deviate from normal operational patterns. The detection logic involves filtering out legitimate AWS Security Scanner requests, thereby focusing on suspicious traffic that may suggest probing of the cluster's security posture. By tracking the frequency of these requests and analyzing attributes like source IP addresses, HTTP user agents, and the types of requests made, security teams can discern patterns that may signal malicious intentions. Given the potential consequences of successful exploitation—such as unauthorized access, data breaches, or service disruptions—this analytic serves as a crucial warning mechanism for protecting Kubernetes environments against initial attack vectors.