Description
Detects when a Kubernetes pod accesses the EC2 Instance Metadata Service (IMDS), typically at 169.254.169.254, which may indicate an attempt to retrieve IAM role credentials assigned to the underlying EC2 node. Attackers can exploit this to escalate privileges by assuming the node’s IAM role and gaining broader access to AWS resources.
Remediation
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.
