Find aws credentials

​

Event Information

​

Meaning

• The “Find AWS Credentials” event in a Kubernetes cluster indicates that a process or container within the cluster is attempting to search for AWS credentials.
• This event could be a potential security risk as it may indicate unauthorized access or an attempt to gain access to AWS resources.
• To investigate this event, you can use kubectl to check the logs of the relevant pods or containers to identify the process or application responsible for the event. For example, you can use the following command: kubectl logs <pod_name>.

​

Remediation

1. Create a Kubernetes Deployment manifest file to deploy a Python script that uses the Kubernetes API to find and delete any AWS credentials stored as Kubernetes secrets.
   • Use the kubectl create deployment command to create a Deployment manifest file.
   • Specify the image that contains the Python script and necessary dependencies.
   • Mount the necessary Kubernetes configuration file as a volume in the Deployment manifest file.
   • Use the kubectl apply -f <manifest_file> command to apply the Deployment.
2. Create a Kubernetes Job manifest file to run the Python script as a one-time job to find and delete any AWS credentials stored as Kubernetes secrets.
   • Use the kubectl create job command to create a Job manifest file.
   • Specify the image that contains the Python script and necessary dependencies.
   • Mount the necessary Kubernetes configuration file as a volume in the Job manifest file.
   • Use the kubectl apply -f <manifest_file> command to apply the Job.
3. Create a Kubernetes CronJob manifest file to schedule the Python script to run periodically and find/delete any AWS credentials stored as Kubernetes secrets.
   • Use the kubectl create cronjob command to create a CronJob manifest file.
   • Specify the image that contains the Python script and necessary dependencies.
   • Mount the necessary Kubernetes configuration file as a volume in the CronJob manifest file.
   • Configure the schedule for the CronJob to run periodically.
   • Use the kubectl apply -f <manifest_file> command to apply the CronJob.