Mapping the Blast Radius: Visualize Attack Paths in AWS EKS with This New Go-Based Scanner
eks-security-scanner
A CLI tool to scan AWS EKS clusters for misconfigurations, over-permissive access, and common Kubernetes security risks. Built in Go for speed and simplicity.
eks-security-scanner helps visualize and assess potential attack paths within your Kubernetes cluster by constructing a threat graph. This graph-based approach supports basic threat modeling — helping you reason about lateral movement, privilege escalation, network exposure, and excessive trust relationships.
Features
- Threat modeling with service-account access graphs
- Privileged pod detection
- RBAC and IAM access audits
- Namespace-level scope filtering
- Output as ASCII or DOT format
- Extensible CLI built with Cobra
Authentication Requirements
To use eks-scanner, you must have:
- Kubernetes credentials configured via
~/.kube/configor theKUBECONFIGenvironment variable with access to your EKS cluster. - AWS credentials configured via environment variables, a named profile, or the AWS CLI (
~/.aws/credentials) with appropriate access to your AWS account.
This tool performs read-only scanning of your EKS environment. It does not make any modifications to your Kubernetes cluster or AWS resources.
Minimum required AWS IAM permissions:
eks:ListAccessEntrieseks:DescribeAccessEntryeks:DescribeClusteriam:GetRoleiam:ListAttachedRolePoliciesiam:GetPolicyiam:GetPolicyVersion
Your Kubernetes user or IAM role must have read access to common cluster resources, including:
- Pods
- Namespaces
- Services
- Endpoints
- RoleBindings
- ServiceAccounts
- ConfigMaps
- ResourceQuotas
- LimitRanges
Ensure your identity has sufficient permissions in both AWS and Kubernetes to retrieve this data.
Use
[pastacode lang=”markup” manual=”Scan%20your%20EKS%20cluster%20for%20common%20security%20misconfigurations%0A%0AUsage%3A%0A%20%20eks-scanner%20%5Bflags%5D%0A%20%20eks-scanner%20%5Bcommand%5D%0A%0AAvailable%20Commands%3A%0A%20%20audit%20%20%20%20%20%20%20Scans%20EKS%20access%20entries%20and%20IAM%20permissions.%0A%20%20completion%20%20Generate%20the%20autocompletion%20script%20for%20the%20specified%20shell%0A%20%20graph%20%20%20%20%20%20%20Generate%20a%20threat%20graph%20of%20your%20EKS%20cluster%20in%20ASCII%20(default)%20or%20DOT%20format%0A%20%20help%20%20%20%20%20%20%20%20Help%20about%20any%20command%0A%20%20namespace%20%20%20Scan%20Kubernetes%20namespace(s)%20for%20security%20misconfigurations%20and%20over-permissive%20defaults%0A%20%20privilege%20%20%20Scans%20pods%20for%20privileged%20permissions%20or%20root%20access.%0A%0AFlags%3A%0A%20%20-a%2C%20–all%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Run%20all%20checks%0A%20%20-c%2C%20–cluster%20string%20%20%20%20%20Name%20of%20the%20EKS%20cluster%20to%20scan%20(required)%0A%20%20-f%2C%20–format%20string%20%20%20%20%20%20Output%20format%3A%20ascii%20or%20dot%20(default%20%22ascii%22)%0A%20%20-h%2C%20–help%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20help%20for%20eks-scanner%0A%20%20-n%2C%20–namespace%20string%20%20%20Name%20of%20the%20namespace%20scan%0A%0AUse%20%22eks-scanner%20%5Bcommand%5D%20–help%22%20for%20more%20information%20about%20a%20command.” message=”” highlight=”” provider=”manual”/]
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
