AWS’ EKS Kubernetes ‘Critical Security’ Flaw Exposes Credentials, Says Trend Micro

AWS said in a statement to CRN that it completed an investigation into the security flaw and determined that it ‘is not a security issue, but rather expected behavior that falls within the trust boundary of the node itself and is on the Customer Side of the Shared Responsibility Model.’

New critical security flaws found in Amazon’s popular Elastic Kubernetes Service (EKS) can expose sensitive AWS credentials and allow privilege escalation that can lead to “malicious activity,” said Trend Micro in a cybersecurity research report.

“Misconfigured or overly privileged containers in Kubernetes environments can facilitate unauthorized access to sensitive AWS credentials, exposing the environment to privilege escalation and malicious activity,” said Trend Micro in its new report via the Trend Micro Zero Day Initiative program.

Trend Micro’s research said it identified “exploit scenarios involving overprivileged containers, including packet sniffing of unencrypted HTTP traffic to access plaintext credentials and API spoofing, which uses network settings to intercept Authorization tokens and gain elevated privileges.”

AWS disagrees with the report, believing it’s a user issue.

In a statement to CRN, AWS said it completed an investigation into the security flaw and determined that it, “is not a security issue, but rather expected behavior that falls within the trust boundary of the node itself and is on the Customer Side of the Shared Responsibility Model.”

Amazon’s EKS aims to simplify Kubernetes clusters on AWS by automating the management of the Kubernetes control plane while integrating with AWS services for storage, networking and cybersecurity.

EKS Pod Identity Issue

Amazon EKS Pod Identity aims to simplify the process of granting AWS credentials to pods running in an EKS cluster. It offers Identity and Access Management (IAM) Roles for Service Accounts that enable secure access to AWS resources like S3 buckets or DynamoDB tables from within Kubernetes applications.

Pod Identity allows pods to securely access AWS resources by granting temporary credentials for each node. This exposes an API on a local IP address to enable applications in pods to obtain the necessary credentials for their associated IAM roles.

The security risks occur when containers are misconfigured or granted excessive privileges, Trend Micro’s report said.

“This presents a security risk since any pod with ‘hostNetwork: true’ settings can potentially monitor network traffic on the node, enabling the interception of any credentials being sent from the API endpoint,” said the Trend Micro report. “Since the AWS environment doesn't bind these credentials to a specific asset, malicious actors can use them to gain elevated privileges within the environment.”

The flaw allows intercepted credentials to also be reused elsewhere in the environment.

“The findings highlight critical security considerations when using Amazon EKS Pod Identity for simplifying AWS resource access in Kubernetes environments. Misconfigurations, particularly involving containers with excessive privileges, can expose AWS credentials and create significant risks, including privilege escalation and unauthorized actions within a cloud environment,” said the report.

AWS Response

It is the responsibility of the node or cluster operator to ensure that applications with elevated permissions are appropriately scoped, according to AWS.

“The ability for the node to assume pod identity roles is expected and aligns with the trust boundary’ model, as outlined in the EKS pod security best practices and the shared responsibility documentation,” AWS said.

Kubernetes-based container platforms automate the deployment, scaling, and operations of containerized applications to make them ideal for microservices and workloads.

“These vulnerabilities underscore the importance of adhering to the principle of least privilege, ensuring container configurations are scoped appropriately, and minimizing opportunities for exploitation by malicious actors,” Trend Micro concluded in its report.