AWS guardduty medium security documentation change
Summary
Added documentation for new EKS/CompromisedClusterAttackSequence detection type including detection details, data sources, and remediation guidance
Security assessment
The change documents new security monitoring capabilities for detecting compromised EKS clusters through attack sequence analysis. It adds critical severity detection for EKS cluster compromises using multiple security data sources like audit logs, runtime monitoring, and malware detection. This expands security visibility but doesn't indicate a specific vulnerability being patched.
Diff
diff --git a/guardduty/latest/ug/guardduty-attack-sequence-finding-types.md b/guardduty/latest/ug/guardduty-attack-sequence-finding-types.md index c6053dcb8..869532350 100644 --- a//guardduty/latest/ug/guardduty-attack-sequence-finding-types.md +++ b//guardduty/latest/ug/guardduty-attack-sequence-finding-types.md @@ -5 +5 @@ -AttackSequence:IAM/CompromisedCredentialsAttackSequence:S3/CompromisedData +AttackSequence:EKS/CompromisedClusterAttackSequence:IAM/CompromisedCredentialsAttackSequence:S3/CompromisedData @@ -11 +11 @@ GuardDuty detects an attack sequence when a specific sequence of multiple action -The attack sequence detections focus on potential compromise of Amazon S3 data (that can be a part of a broader ransomware attack), and compromised AWS credentials. The following sections provide details about each of the attack sequences. +The attack sequence detections focus on potential compromise of Amazon S3 data (that can be a part of a broader ransomware attack), compromised AWS credentials, and compromised Amazon EKS clusters. The following sections provide details about each of the attack sequences. @@ -14,0 +15,2 @@ The attack sequence detections focus on potential compromise of Amazon S3 data ( + * AttackSequence:EKS/CompromisedCluster + @@ -21,0 +24,33 @@ The attack sequence detections focus on potential compromise of Amazon S3 data ( +## AttackSequence:EKS/CompromisedCluster + +### A sequence of suspicious actions performed by potentially compromised Amazon EKS cluster. + + * Default severity: Critical + + * Data sources: + + * [EKS audit log events](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty/latest/ug/kubernetes-protection.html#guardduty_k8s-audit-logs) + + * [Runtime Monitoring for Amazon EKS](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-eks.html) + + * [Amazon EKS malware detection for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) + + * [AWS CloudTrail data events for S3](./s3-protection.html#guardduty_s3dataplane) + + * [AWS CloudTrail management events](./guardduty_data-sources.html#guardduty_controlplane) + + * [VPC Flow Logs](./guardduty_data-sources.html#guardduty_vpc) + + * [Route53 Resolver DNS query logs](./guardduty_data-sources.html#guardduty_dns) + + + + +This finding informs you that GuardDuty detected a sequence of suspicious actions that indicates a potentially compromised Amazon EKS cluster in your environment. Multiple suspicious and anomalous attack behaviors, such as malicious processes or connection with malicious endpoints, were observed in the same Amazon EKS cluster. + +GuardDuty uses its proprietary correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources. + +**Remediation actions** : If this behavior is unexpected in your environment, then your Amazon EKS cluster may be compromised. For comprehensive remediation guidance, see [Remediating EKS Protection findings](./guardduty-remediate-kubernetes.html) and [Remediating Runtime Monitoring findings](./guardduty-remediate-runtime-monitoring.html). + +Additionally, since AWS credentials may have been compromised through the EKS cluster, see [Remediating potentially compromised AWS credentials](./compromised-creds.html). For steps to remediate other resources that may have been potentially impacted, see [Remediating detected GuardDuty security findings](./guardduty_remediate.html). +