Recent security research has uncovered significant risks associated with misconfigured or overly privileged containers running in Amazon Elastic Kubernetes Service (EKS). These misconfigurations can expose sensitive AWS credentials, leading to potential privilege escalation, data breaches, and unauthorized access within cloud environments.
Overprivileged Containers
Kubernetes has become the backbone of modern cloud applications, enabling automation in deployment, scaling, and management of containerized workloads. Amazon EKS simplifies Kubernetes management, but misconfiguration—particularly granting containers excessive privileges—can introduce vulnerabilities.
Research by Trend Micro identified attack scenarios where attackers exploit these overprivileged containers to access AWS credentials in ways that could compromise entire cloud environments. Two primary techniques emerged:
- Packet Sniffing: Attackers with containers configured with host network access can monitor unencrypted traffic on the node. Specifically, the Amazon EKS Pod Identity feature exposes an API on a local IP address (169.254.170.23) over HTTP, which transmits AWS credentials in plaintext. If a malicious actor’s container has hostNetwork: true, they can intercept these credentials using standard network tools like tcpdump, gaining access to temporary AWS credentials that can be used to escalate privileges.
- API Spoofing: Containers with capabilities like CAP_NET_ADMIN can manipulate network interfaces. An attacker could disable the API endpoint used for credential retrieval, then deploy a rogue server to intercept or manipulate incoming requests. This allows theft of authorization tokens and credentials, enabling malicious actors to impersonate legitimate users or services.
The Amazon EKS Pod Identity feature simplifies permission management by exposing an API that pods use to retrieve temporary AWS credentials. However, this API operates over unencrypted HTTP on a local link, which is vulnerable if containers run with high privileges or are configured with hostNetwork: true.
In a typical attack, an attacker gains control over a container with network access, intercepts unencrypted credentials, or manipulates network configurations to redirect traffic to malicious servers. This can lead to credential theft and privilege escalation within the environment.
Industry Response and Recommendations
These attack techniques have been reported to Amazon through the Trend Zero Day Initiative (ZDI) and are recorded as ZDI-CAN-26891. AWS clarified that such behaviors are within the expected behavior of nodes and fall under the shared responsibility model—they stress that securing container configurations remains the responsibility of the customer.
To mitigate these risks, you can take precautions such as:
- Applying the principle of least privilege when configuring containers.
- Avoiding running containers with hostNetwork: true unless absolutely necessary.
- Limiting container capabilities, especially CAP_NET_RAW and CAP_NET_ADMIN.
- Regularly auditing container settings and permissions.
The Role of Security Tools
Tools like Trendmicro’s Trend Vision One provide organizations with the ability to enforce policies that detect and block containers with excessive privileges. By configuring such tools to monitor container capabilities and network configurations, organizations can proactively reduce their attack surface and prevent credential exposure.
As cloud-native architectures grow more complex, so do the security challenges. This investigation underscores that misconfigured containers—particularly those with elevated privileges—pose significant risks to AWS credential security. Proper configuration, least privilege enforcement, and continuous monitoring are critical to safeguarding cloud environments from such exploits.
Read the full analysis on Trend Micro’s official report here.
Leave a Reply