Professional Documents
Culture Documents
Response
Cado Security | 1
How do you respond to a compromised EKS
Container or Node?
If you’ve identified a potentially compromised container in EKS, there
are two potential ways forward:
https://aws.amazon.com/blogs/security/how-to-use-new-amazon-guardduty-eks-protection-findings/
https://medium.com/@cloud_tips/guide-to-aws-guardduty-findings-in-eks-62babbd7da88
Container Investigation Data Sources in AWS?
Amazon S3 Amazon EC2 - Hosting EKS/ECS Inside Container - EKS/ECS on Fargate/EC2
EKS Audit / Control Plane Logs Docker Container Filesystems Container Filesystems
● Shows: API Level Calls ● Normally overlay2 versioned filesystem ● Live filesystem as seen by the container, Memory
● Usefulness: Medium ● Contains all the files from all the containers ● Contains all the files from all the containers
● Collected by: S3 ● Usefulness: High ● Usefulness: Very High
● Collected by: EC2 EBS (API) or Cado Host (SSM/SSH) ● Collected by: Cado Host (ECS Exec/kubectl exec))
https://aws.amazon.com/blogs/security/how-to-investigate-and-take-action-on-security-issues-in-
amazon-eks-clusters-with-amazon-detective-part-2/
Cado Response
Free 14-day trial
Receive unlimited access to the
Cado Response Platform for 14
days.
www.cadosecurity.com/free-investigation/