Lateral movement

Aws IAM role connected to K8s Role with the ability to bind roles to a k8s entity (users, groups or service accounts)

Platform(s)
  • N/A

Description

Amazon EKS uses IAM to provide authentication to your Kubernetes cluster, but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization. This means that an AWS IAM entity can get authorized to communicate with the API server. Orca has detected that the IAM role {AwsIamRole} is connected to the K8s role {AwsIamRole.K8sRoles} that allows binding to other K8s roles in {AwsIamRole.K8sRoles.Namespace} namespace. An attacker with access to the AWS IAM role can bind new K8s roles to itself thus elevating their privileges in the cluster.