This lab simulates a Kubernetes RBAC misconfiguration within Amazon EKS and demonstrates how to detect, respond, and document such incidents using AWS-native services. It aligns with key compliance frameworks such as NIST 800-53, CIS Controls v8, and ISO 27001.
- Overview
- Architecture
- Prerequisites
- Lab Components
- Deployment Instructions
- Validation Checklist
- Outputs
- GRC Framework Mapping
- Cleanup
- Troubleshooting
- References
This lab covers:
- Simulating a privilege escalation scenario via a misconfigured
ClusterRoleBindingin EKS. - Detecting escalation via CloudTrail logs, Athena queries, and GuardDuty.
- Automating response using AWS EventBridge and Lambda.
- Documenting the event with a validation checklist and assessment worksheet.
- AWS CLI and kubectl installed locally
- An active Amazon EKS cluster
- IAM permissions to deploy Lambda, EventBridge, GuardDuty, and Security Hub
- Athena and CloudTrail enabled
- CloudTrail logs sent to S3 and Athena query database configured
- Git installed to clone this repository
| Component | Purpose |
|---|---|
code/scripts/ |
Athena SQL query, EventBridge rule, and Lambda remediation script |
manifests/ |
Kubernetes RBAC misconfiguration and deployment manifests |
docs/ |
Architecture diagram, validation checklist, assessment worksheet |
README.md |
Full documentation of the lab |
git clone https://github.com/Runc9/eks-privilege-escalation-response-lab.git
cd eks-privilege-escalation-response-labkubectl create namespace dev-ops
kubectl apply -f manifests/rbac-escalation.yaml
kubectl apply -f manifests/pod-deployment.yaml- Run the
athena-query.sqlusing the Athena Console or CLI to find RBAC escalation events. - Confirm a GuardDuty finding is generated.
- EventBridge rule triggers Lambda response.
- Check Lambda execution logs in CloudWatch.
- Verify Security Hub aggregates the incident.
Available in docs/validation-checklist.md
Covers:
- RBAC misconfig deployed and detected
- GuardDuty finding generated
- EventBridge rule triggered
- Lambda executed and Security Hub notified
| Output | Description |
|---|---|
| GuardDuty Finding | Shows RBAC escalation risk |
| Lambda Logs | Evidence of automatic response |
| Security Hub Finding | Aggregated GRC-aligned incident evidence |
| Athena Query Results | CloudTrail-based detection of privilege escalation |
| Framework | Control | Validation Method |
|---|---|---|
| NIST 800-53 | AC-6 (Least Privilege), IR-4 (Response) | Pod role analysis, Lambda |
| CIS Controls v8 | 4.8, 5.3, 8.7 | GuardDuty alerts, IAM constraints |
| ISO 27001 | A.9.4.1, A.12.4.1 | Log review and escalation handling |
kubectl delete namespace dev-opsOptional:
- Remove EventBridge rule
- Disable Lambda
- Turn off Security Hub
- Delete Athena query output
| Issue | Fix |
|---|---|
| No GuardDuty findings | Ensure GuardDuty is enabled and EKS Control Plane logs are ingested |
| Lambda didn't trigger | Check EventBridge rule and Lambda permissions |
| Security Hub didn’t populate | Check integration, or push manually via Lambda |
| Pod failed to start | Confirm cluster role binding and service account |
Developed and maintained by Runc9
Built as part of a broader AWS Cloud Security GRC Engineering portfolio.