Lateral movement

Aws IAM role connected to K8s Role that allows the creation or modification of other pods

  • N/A


Amazon EKS uses IAM to provide authentication to your Kubernetes cluster, but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. This means that an AWS IAM entity can get authorized to communicate with the API server. Orca has detected that IAM role {AwsIamRole} is connected to the K8s role {AwsIamRole.K8sRoles} that can create new pods or modify existing pods. An attacker with access to {AwsIamRole} AWS IAM role can gain a persistence foothold of the {AwsIamRole.K8sRoles.K8sCluster} cluster by creating or modifying a ""stealth"" pod.