Security researchers have discovered two critical vulnerabilities in Amazon Elastic Kubernetes Service (EKS) that could allow attackers to access AWS credentials and escalate privileges. These flaws come from how container permissions are configured in certain scenarios and show how small misconfigurations can lead to serious security risks.
Amazon EKS is a managed service by AWS that lets users run Kubernetes clusters in the cloud. To manage access securely, EKS uses something called the Pod Identity Agent, which gives AWS credentials to containers when needed. This agent communicates over HTTP with a special local IP address, but the process isn’t encrypted. If attackers gain certain permissions in a container, they can abuse this design and steal sensitive information.
The first vulnerability is related to the use of hostNetwork in Kubernetes. If a container is granted the hostNetwork setting, it shares the same network namespace as the host. This allows it to sniff traffic on the host system. An attacker inside such a container could run a tool like tcpdump and capture AWS credentials in plaintext as they’re sent to other pods on the same node. These credentials can then be used to access AWS services beyond the original container’s scope.
The second vulnerability is even more dangerous. If a container is allowed to run with elevated Linux capabilities such as CAP_NET_ADMIN, the attacker can disable the Pod Identity Agent and replace it with a fake HTTP server. This spoofed server listens on the same IP and port and responds with malicious tokens or logs the real ones. When another pod tries to request credentials, it unknowingly connects to the fake server, and the attacker can intercept everything. These tokens can then be used with AWS’s AssumeRoleForPodIdentity API to request valid AWS credentials.
Trend Micro demonstrated both attacks through proof-of-concept examples. One showed how tcpdump could be used to capture credentials using hostNetwork. The other showed how to use the pyroute2 library in Python to redirect traffic to a fake metadata service and collect credentials silently. These tests confirmed how easy it can be to exploit misconfigurations in EKS.
If an attacker gets AWS credentials this way, they can move laterally across the cloud environment. That means they might be able to access other services, read or delete data in S3 buckets, launch new compute instances, or even gain full control over parts of the infrastructure. The attack could affect more than just the compromised pod, making it a serious issue for cloud security.
AWS responded by saying this behavior is expected under their shared responsibility model. That means customers are responsible for configuring permissions and security inside their own Kubernetes environments. While some may see this as surprising, it’s standard for most cloud services. AWS provides the platform, but it’s up to users to secure their workloads.
To reduce risk, users should avoid granting hostNetwork to pods unless it’s absolutely required. They should also limit Linux capabilities in containers and not give them unnecessary permissions like CAP_NET_ADMIN. Security settings like Kubernetes securityContext or Pod Security Policies should be used to restrict what containers can do. It’s also important to monitor container behavior using runtime security tools such as AWS GuardDuty or Trend Vision One.
Lastly, IAM roles should be tightly scoped so that credentials are only valid for the specific tasks they are meant for. Giving broad permissions increases the damage if credentials are ever leaked. With the rise in attacks targeting Kubernetes environments, taking these steps is more important than ever.
These EKS flaws show that even small missteps in container security can lead to major problems. Users running workloads on Amazon EKS should review their configurations immediately to avoid becoming the next victim of cloud misconfiguration.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
