Hello,
We have been receiving security alerts on our AWS Kubernetes clusters stood up by Qovery. The alert is
Discovery:Kubernetes/MaliciousIPCaller
An API commonly used to discover resources in a Kubernetes cluster was invoked from an IP address on a custom threat list.
Default severity: Medium
Data source: Kubernetes audit logs
Full description:
This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack.
Remediation recommendations:
If the user reported in the finding under the kubernetesUserDetails section is system:anonymous, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in Security best practices for Amazon EKS in the Amazon EKS User Guide. https://aws.github.io/aws-eks-best-practices/security/docs/iam/#review-and-revoke-unnecessary-anonymous-access-to-your-eks-cluster
The specific alert shows the API being called by “system:anonymous”. Is the provided recommendation something Qovery and/or we can implement to prevent malicious actors from probing our infrastructure?
