The EKS Hacking Playbook: Lessons From 3 Years of Cloud Security Research
2024-06-17 , Breakout 1

Amazon Elastic Kubernetes Service (EKS) is one of the leading Kubernetes solutions in the cloud-managed space. Its flexibility, scalability, and integration with the AWS ecosystem have made it an industry standard. However, EKS is a two-headed beast. On one hand, it’s a full-fledged Kubernetes cluster, but on the other hand, it’s an AWS service. The combination of the two allows for seamless integration with other AWS services, but can also introduce unique security challenges. Simple but common misconfigurations can expose critical assets to external attackers.

Our experience in cloud security research, which includes critical findings affecting many of the world’s leading cloud providers and services, has led us to find common patterns of EKS security mistakes. We saw many large organizations apply similar misconfigurations across the board, ranging from network issues to unique RBAC issues. Drawing from this experience, we created a playbook for ourselves – what do we look for, as security researchers, when in a production EKS environment.

In this talk, we will walk the audience through common misconfigurations and mistakes prevalent in EKS setups. Each example will present the mistake from the engineer’s point of view, as well as the opposite point of view – how we exploited it as researchers. For each section, we will also present an example from one of our research engagements, to showcase how these kinds of misconfigurations can compromise a world-leading service's production environment.

Finally, we will showcase ways to hunt and mitigate these issues on your own EKS environments, including remediation and detection techniques based on existing AWS utilities. By sharing these findings and methodologies, we hope to arm cloud engineers, as well as security and DevOps teams, with the tools and knowledge they need to secure their EKS environments.

Nir Ohfeld is a senior security researcher at Wiz. Ohfeld focuses on cloud-related security research and specializes in research and exploitation of cloud service providers, web applications, application security, and in finding vulnerabilities in complex high-level systems. Ohfeld and his colleagues disclosed some of the most notable cloud vulnerabilities, including ChaosDB and OMIGOD.

Hillai Ben-Sasson is a security researcher based in Israel. As part of the Wiz Research Team, Hillai specializes in research and exploitation of web applications, application security, and finding vulnerabilities in complex high-level systems.