In Amazon EKS, entries in the ‘aws-auth' ConfigMap are responsible for mapping access to the cluster. By default, only the creator of the cluster has initial access. To interact with a specific cluster, there must be a mapping of an IAM role or user to the cluster. Changes to the 'aws-auth' ConfigMap can modify access levels within the cluster but require prior access to the cluster itself.
If the cluster is configured to allow AWS IAM authentication through the 'aws-auth' ConfigMap, attackers may exploit this mapping to gain unauthorized access.
This article will review how ConfigMaps functions within Amazon EKS, identify common threats, and discuss advanced strategies to secure them against potential attack vectors.
Introduction to EKS and ConfigMaps
Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service provided by AWS that simplifies the management of Kubernetes clusters. Developers can focus on deploying their containerized applications without worrying about the underlying infrastructure.
A ConfigMap in Kubernetes stores configuration data, such as application settings, environment variables, or file paths.
Example of a ConfigMap storing application configuration:
This example highlights a common mistake: storing sensitive information like database credentials in a ConfigMap. Such data should instead be stored in a Kubernetes Secret, as shown below:
How Attackers Can Exploit ConfigMaps
This scenario demonstrates how an attacker could escalate permissions by editing the 'aws-auth' ConfigMap. Initially, the attacker does not have access to certain cluster resources. After modifying the ConfigMap, they gain full access.
1. Initial Access
Command: kubectl get pods -n kube-system
Result: Access Denied
2. Edit ConfigMap
Command: kubectl edit configmap aws-auth -n kube-system
The attacker may grant a specific IAM role administrative access to the Kubernetes cluster and add an entry like this in the mapRoles section:
- rolearn: arn:aws:iam::123456789012:role/AttackerIAMRoleName
username: admin:{{SessionName}}
groups:
- system:masters
Result: IAM role added as admin
3. Retry Access
Command: kubectl get pods -n kube-system
Result: Access Granted
Relevant MITRE ATT&CK Stages
1. Valid Accounts (T1078): Adversaries exploit compromised IAM credentials or Kubernetes Service Account tokens to modify the aws-auth ConfigMap. By leveraging legitimate access, they establish a foothold within the cluster and carry out further activities with minimal visibility.
2. Create Account (T1136): Unauthorized modifications to the aws-auth ConfigMap enable adversaries to map unapproved IAM roles or users to Kubernetes roles. This grants them the ability to create unauthorized access pathways and escalate privileges within the cluster.
3. Abuse Elevation Control Mechanism (T1548): By manipulating ConfigMap settings, adversaries can elevate their privileges and access resources that are otherwise restricted. Changes to the aws-auth ConfigMap are a common tactic to gain control over sensitive cluster operations.
4. Impair Defenses (T1562): Adjusting IAM role mappings within the aws-auth ConfigMap allows adversaries to undermine or bypass safeguards. This tactic is used to suppress security mechanisms and maintain unauthorized control over the cluster.
Securing Your Cluster: Investigating Threats to ConfigMaps
ConfigMaps play a vital role in Kubernetes clusters, serving as centralized repositories for configuration data. Given their importance, malicious actors often target ConfigMaps to gain unauthorized access, modify critical configurations, or disrupt cluster operations. Investigating threats related to ConfigMaps is crucial for maintaining the integrity and security of your cluster. Focus on these key indicators to uncover and address potential threats effectively:
1. Unusual Patterns in ConfigMap Creation or Deletion: Monitor for unexpected ConfigMaps being created or deleted, especially those that deviate from typical deployment workflows. Such anomalies could indicate an attempt to introduce rogue configurations or conceal malicious activities.
2. Unauthorized Modifications to Critical ConfigMaps: Pay particular attention to ConfigMaps like aws-auth, which control access and permissions within the cluster. Unauthorized changes to these ConfigMaps can compromise the entire security model of the cluster, enabling privilege escalation or unauthorized access.
3. Persistent Unauthorized Access Attempts: Repeated or unauthorized attempts to access sensitive ConfigMaps may signal reconnaissance efforts or an active attempt to exploit misconfigurations. Identifying the source and context of these attempts is critical to prevent escalation.
By thoroughly investigating these indicators, you can uncover and mitigate threats before they impact your cluster's operations. Establishing a systematic approach to uncover these risks ensures that your cluster remains resilient against evolving security challenges.
Mitigation Strategies
To safeguard ConfigMaps and maintain the security of your Kubernetes clusters, implementing robust protection measures is essential. Here are effective strategies to uncover and address potential threats:
1. Restrict Access to ConfigMaps: Apply Kubernetes Role-Based Access Control (RBAC) to enforce strict access permissions. By limiting access to only authorized users and services, you reduce the risk of unauthorized modifications or exposure of configuration data.
2. Store Sensitive Data in Kubernetes Secrets: Avoid storing confidential information, such as passwords or API keys, in ConfigMaps. Instead, utilize Kubernetes Secrets, which are designed for secure storage and help minimize the risk of data compromise.
3. Enforce Pod Security Policies: Implement Pod Security Policies (PSPs) to control pod access to ConfigMaps. By restricting unauthorized mounting of ConfigMaps, you reduce the potential for misuse or accidental exposure of sensitive configurations.
Cyngular Security's CIRA Platform
To further secure your cloud environment, consider integrating Cyngular Security's CIRA platform. It enhances your security posture by providing advanced investigation and response capabilities, enabling your team to address threats swiftly and effectively. By adopting Cyngular Security's CIRA, you empower your organization with proactive and automated security measures that protect your cloud assets.
Get a Free Breach Assessment
Protect your cybersecurity infrastructure with a complimentary breach assessment from Cyngular:
-
Safe and Non-disruptive: Conducted with read-only access to ensure no operational disruption.
-
Easy Setup: Integrates seamlessly with your existing SIEM systems.
-
Deep Insights: Empowers your cybersecurity strategy with advanced threat-hunting and proactive investigation capabilities.
Request your free Proof-of-Value today and lead the way in cybersecurity innovation with Cyngular.