Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups; attacker changes can grant cluster-admin privileges by inserting a mapping to the system:masters group. This rule targets the persistence technique where authentication mappings exist outside standard RBAC objects and can survive restarts, node replacements, and RBAC changes. It monitors Kubernetes audit logs for writes (update, patch, delete) to aws-auth in the kube-system namespace, correlating the operation with the mapRoles/mapUsers content and the associated user identity. The included query filters for unauthorized updates within a defined window (from now back 9 minutes) and excludes known legitimate sources such as eks:kms-storage-migrator. When triggered, the alert prompts investigators to verify change provenance, compare the new aws-auth content with a known-good revision, and review subsequent IAM/RBAC activity tied to newly mapped principals. The detection aligns with MITRE ATT&CK techniques Account Manipulation (T1098) and Privilege Escalation (TA0004), specifically subtechniques related to container cluster roles, and highlights a Persistence angle (TA0003) as the mapping persists beyond pod/node lifecycle. Remediation guidance emphasizes reverting unauthorized changes, rotating/restricting IAM policies granting modify access to aws-auth, and escalating per policy if unexpected identities are involved. False positives may occur during legitimate node group lifecycles, cluster upgrades, or IaC-based changes; tuning baseline identities and excluding known automated controllers is advised.