heroui logo

Kubernetes AWS detect service accounts forbidden failure access

Splunk Security Content

View Source
Summary
This detection rule monitors Kubernetes service accounts in an AWS EKS environment for occurrences of 'forbidden' or 'failure' access responses. The rule utilizes AWS CloudWatch logs to identify failed access attempts, providing valuable insights into potential security incidents involving service accounts. By highlighting service accounts that received failed access statuses, this rule aids in identifying misconfigurations or possible malicious activities targeting Kubernetes resources. It allows the user to extend searches with additional operators, exploring trends related to user agents, source IPs, and specific request URIs to better understand the context of the failures. While the rule aids in identifying security concerns, it may also generate false positives due to legitimate authentication and permission issues inherent within the cluster.
Categories
  • Cloud
  • Kubernetes
  • AWS
Data Sources
  • Cloud Service
  • Application Log
Created: 2024-11-14