Skip to content

Instantly share code, notes, and snippets.

@0xdabbad00
Created January 25, 2022 03:05
Show Gist options
  • Save 0xdabbad00/c05282d87f2e8fce7ca6a7128d101ad3 to your computer and use it in GitHub Desktop.
Save 0xdabbad00/c05282d87f2e8fce7ca6a7128d101ad3 to your computer and use it in GitHub Desktop.
{
"version": "1",
"type": "NEW_FEATURES",
"featureDetails": [{
"featureDescription": "On January 25, 2022 Amazon GuardDuty will expand coverage to continuously monitor and profile Amazon Elastic Kubernetes Service (Amazon EKS) cluster activity to identify malicious or suspicious behavior that represents potential threats to container workloads. Amazon GuardDuty for EKS Protection monitors control plane activity by analyzing Kubernetes audit logs from existing and new Amazon EKS clusters in your accounts. GuardDuty is integrated with Amazon EKS, giving it direct access to the Kubernetes audit logs without requiring you to turn on or store these logs. Once a threat is detected, GuardDuty will generate a security finding that includes container details such as pod ID, container image ID, and associated tags. At launch, GuardDuty for EKS Protection includes 27 new GuardDuty finding types that can help detect threats related to user and application activity captured in Kubernetes audit logs. GuardDuty for EKS Protection will be enabled by default for all new and existing GuardDuty accounts, and will not require any additional configuration of GuardDuty or Amazon EKS. Each AWS account will receive a 30-day free trial in each AWS region to evaluate this new capability. During the free trial period you can view your estimated EKS Protection spend in the GuardDuty console Usage page. You can suspend EKS Protection at any time in the Kubernetes Protection page in the GuardDuty console. If you disable EKS Protection by the end of day (23:59) of February 2, 2022, Pacific Standard Time, your 30-day free trial will automatically reset to allow for a free-trial evaluation at a later date.",
"findingTypes":[
"CredentialAccess:Kubernetes/MaliciousIPCaller",
"CredentialAccess:Kubernetes/MaliciousIPCaller.Custom",
"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess",
"CredentialAccess:Kubernetes/TorIPCaller",
"DefenseEvasion:Kubernetes/MaliciousIPCaller",
"DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom",
"DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess",
"DefenseEvasion:Kubernetes/TorIPCaller",
"Discovery:Kubernetes/MaliciousIPCaller",
"Discovery:Kubernetes/MaliciousIPCaller.Custom",
"Discovery:Kubernetes/SuccessfulAnonymousAccess",
"Discovery:Kubernetes/TorIPCaller",
"Execution:Kubernetes/ExecInKubeSystemPod",
"Impact:Kubernetes/MaliciousIPCaller",
"Impact:Kubernetes/MaliciousIPCaller.Custom",
"Impact:Kubernetes/SuccessfulAnonymousAccess",
"Impact:Kubernetes/TorIPCaller",
"Persistence:Kubernetes/ContainerWithSensitiveMount",
"Persistence:Kubernetes/MaliciousIPCaller",
"Persistence:Kubernetes/MaliciousIPCaller.Custom",
"Persistence:Kubernetes/SuccessfulAnonymousAccess",
"Persistence:Kubernetes/TorIPCaller",
"Policy:Kubernetes/AdminAccessToDefaultServiceAccount",
"Policy:Kubernetes/AnonymousAccessGranted",
"Policy:Kubernetes/KubeflowDashboardExposed",
"Policy:Kubernetes/ExposedDashboard",
"PrivilegeEscalation:Kubernetes/PrivilegedContainer"
]
}]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment