Scribd
Upload
28 views10 pages

EKS Incident Response Guide

This document provides information on investigating and responding to compromised containers or nodes in Amazon EKS. It discusses collecting data from container filesystems, EKS audit logs, CloudTrail logs, and Docker logs. It also mentions the overlay2 filesystem used by EKS and resources for forensic analysis like kube-forensics and a playbook from Cado Security. Remediation options include using Amazon Detective to investigate security issues in EKS clusters.

Uploaded by

christopher.d.doman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
28 views10 pages

EKS Incident Response Guide

This document provides information on investigating and responding to compromised containers or nodes in Amazon EKS. It discusses collecting data from container filesystems, EKS audit logs, CloudTrail logs, and Docker logs. It also mentions the overlay2 filesystem used by EKS and resources for forensic analysis like kube-forensics and a playbook from Cado Security. Remediation options include using Amazon Detective to investigate security issues in EKS clusters.

Uploaded by

christopher.d.doman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

EKS Forensics & Incident

Response

Cado Security | 1
How do you respond to a compromised EKS
Container or Node?
If you’ve identified a potentially compromised container in EKS, there
are two potential ways forward:

● If the container is running on an underlying EC2, then refer to the


suggested steps above for immediate actions.

● If the container is running on Fargate, then collect any data required


for later analysis before subsequently suspending it.
What EKS GuardDuty Detections are
there?

https://aws.amazon.com/blogs/security/how-to-use-new-amazon-guardduty-eks-protection-findings/
https://medium.com/@cloud_tips/guide-to-aws-guardduty-findings-in-eks-62babbd7da88
Container Investigation Data Sources in AWS?
Amazon S3 Amazon EC2 - Hosting EKS/ECS Inside Container - EKS/ECS on Fargate/EC2

EKS Audit / Control Plane Logs Docker Container Filesystems Container Filesystems
● Shows: API Level Calls ● Normally overlay2 versioned filesystem ● Live filesystem as seen by the container, Memory
● Usefulness: Medium ● Contains all the files from all the containers ● Contains all the files from all the containers
● Collected by: S3 ● Usefulness: High ● Usefulness: Very High
● Collected by: EC2 EBS (API) or Cado Host (SSM/SSH) ● Collected by: Cado Host (ECS Exec/kubectl exec))

CloudTrail Logs Docker Logs


● Shows: API Level Calls ● Logs what containers were started, stopped
● Usefulness: Low ● Usefulness: Medium
● Collected by: S3 ● Collected by: EC2 Import or Cado Host
How do you Acquire an Amazon EKS System
in Cado?
What is overlay2?
Overlay2 is the file system you are most likely to see.
It’s also versioned, which helps preserve evidence of attacks.
Separate containers are kept in their own folders:
What AWS EKS Logs are Stored in AWS?
It's important to also analyze AWS logs that are generated for EKS systems.
These contain metadata around starting and stopping containers.
Below you can see a view of AWS logs collected in Cado Response:
What Resources are available?

kube-forensics allows a cluster administrator to


dump the current state
Community of a running pod and all its containers so that
Resources security professionals can perform offline forensic
analysis.

We previously published a playbook dedicated to


investigating compromises in EKS environments.
Check out the GitHub repository with sample data
Cado Security
taken from a compromised EKS system, and an
Resources
associated talk on how to analyze it.
What Remediation is available?

https://aws.amazon.com/blogs/security/how-to-investigate-and-take-action-on-security-issues-in-
amazon-eks-clusters-with-amazon-detective-part-2/
Cado Response
Free 14-day trial
Receive unlimited access to the
Cado Response Platform for 14
days.

www.cadosecurity.com/free-investigation/

You might also like