MKAT: The Swiss Army Knife for Kubernetes Security Auditing

by ·

Managed Kubernetes Auditing Toolkit (MKAT)

MKAT is an all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments. It is focused on Amazon EKS at the moment, and will be extended to other managed Kubernetes environments in the future.

Kubernetes Auditing Toolkit

Features

Identify trust relationships between K8s service accounts and AWS IAM roles

MKAT can identify the trust relationships between K8s service accounts and AWS IAM roles, and display them in a table or as a graph. It currently supports:

  • IAM Roles for Service Accounts, a popular mechanism to allow pods to assume AWS IAM roles by exchanging a Kubernetes service account token for AWS credentials through the AWS STS API (AssumeRoleWithWebIdentity).

  • EKS Pod Identity, another newer mechanism that works in a similar way, but is easier to set up.

MKAT works by analyzing both the IAM roles in the AWS account, and the K8s service accounts in the cluster, and then matching them together based on these two mechanisms.

Find hardcoded AWS credentials in K8s resources

MKAT can identify hardcoded AWS credentials in K8s resources such as Pods, ConfigMaps, and Secrets. It has a low false positive rate, and only alerts you if it finds both an AWS access key ID and a secret access key in the same Kubernetes resource. It’s also able to work with unstructured data, i.e. if you have a ConfigMap with an embedded JSON or YAML document that contains AWS credentials.

Test if pods can access the AWS Instance Metadata Service (IMDS)

Pods accessing the EKS nodes Instance Metadata Service is a common and dangerous attack vector that can be used to escalate privileges. MKAT can test if pods can access the IMDS, both through IMDSv1 and IMDSv2.

It tests this by creating two temporary pods (one for IMDSv1, one for IMDSv2) that try to access the IMDS, and are then deleted.

Install

Copyright (C) 2024 DataDog

Tags: