AWS Security Kubernetes API Access


We have been receiving security alerts on our AWS Kubernetes clusters stood up by Qovery. The alert is

An API commonly used to discover resources in a Kubernetes cluster was invoked from an IP address on a custom threat list.

Default severity: Medium

Data source: Kubernetes audit logs

Full description:

This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack.

Remediation recommendations:

If the user reported in the finding under the kubernetesUserDetails section is system:anonymous, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in Security best practices for Amazon EKS in the Amazon EKS User Guide.

The specific alert shows the API being called by “system:anonymous”. Is the provided recommendation something Qovery and/or we can implement to prevent malicious actors from probing our infrastructure?