Summary
AWS EKS was logging ServiceAccount tokens in plaintext, including those used for AssumeRoleWithWebIdentity and connecting to the Kubernetes API server. This issue affected clusters between March 2020 and May 2021, potentially exposing sensitive credentials in CloudWatch logs.
Affected Services
EKS
Remediation
Add deny entries for CloudWatch EKS logs to all human roles without secondary approval in production. Implement dual control for accessing these logs when necessary.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Sun, May 30th, 2021
Exploitablity Period
Until 2021/05/30
Known ITW Exploitation
-
Detection Methods
Monitor CloudWatch logs for EKS clusters and search for JWT-like strings beginning with "eyJhb". Implement logging restrictions and access controls on EKS audit logs.
Piercing Index Rating
-
Discovered by
-
