Kubernetes Pod Exec Cloud Instance Metadata Access

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Kubernetes Pod Exec Cloud Instance Metadata Access

Detects Kubernetes pod exec sessions whose decoded command line references cloud instance metadata endpoints or equivalent hostnames and paths. Workloads that reach the link-local metadata IP, AWS IMDS paths, GCP computeMetadata, Azure IMDS token routes, or encoded variants are often attempting to harvest role credentials, tokens, or instance attributes from the underlying node or hypervisor boundary. That behavior is high risk in multi-tenant and regulated environments because it can expose short-lived cloud credentials to code running inside a container. The rule classifies a coarse cloud target label and whether the string looks like credential retrieval versus lighter reconnaissance.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Data Source: Kubernetes
Domain: Kubernetes
Domain: Cloud
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Execution
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Kubernetes Pod Exec Cloud Instance Metadata Access

This alert fires when an audited exec requestURI, after URL decoding and command reconstruction, matches patterns associated with instance metadata services across AWS, GCP, and Azure. Use it to catch interactive or scripted access from inside a pod to metadata surfaces that should usually be blocked by network policy or not needed by application code.

Possible investigation steps

Confirm the Kubernetes identity that performed exec: user name, groups, impersonation, source IP, and user agent.
Map the pod and namespace to a workload owner, image digest, and entrypoint; determine whether the container should ever call metadata endpoints.
Inspect Esql.cloud_target and Esql.is_credential_theft in the alert document and expand the timeline for the same identity for secret reads, IAM changes, or data egress.
Correlate with cloud audit logs on the node identity or instance profile for STS or token issuance around the event time.

False positive analysis

Break-glass debugging from platform engineers may include curl to 169.254.169.254; validate change tickets and bastion use.
Misconfigured agents or bootstrap scripts in bespoke images can touch metadata during startup; baseline approved images and tune exclusions narrowly.

Response and remediation

If unauthorized, terminate the session, isolate the workload, revoke or rotate instance and workload credentials that could have been read, and tighten RBAC on pods exec plus network policies that deny link-local metadata from pods.

Rule query

edit

FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
| WHERE kubernetes.audit.objectRef.subresource == "exec"
  AND kubernetes.audit.requestURI LIKE "*command=*"
| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
| EVAL command = REPLACE(raw_commands, "command=", "")
| EVAL command = REPLACE(command, "&", " ")
| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
| WHERE Esql.executed_command IS NOT NULL
  AND Esql.executed_command RLIKE """.*(169\.254\.169\.254|2852039166|0xa9fea9fe|/latest/api/token|/latest/meta-data|/latest/user-data|/latest/dynamic/instance-identity|computeMetadata/v1|metadata\.google\.internal|metadata/identity/oauth2/token|metadata/instance).*"""
| EVAL Esql.cloud_target = CASE(
    Esql.executed_command RLIKE """.*(169\.254\.169\.254|2852039166|0xa9fea9fe|/latest/meta-data|/latest/api/token|/latest/user-data|/latest/dynamic).*""", "AWS_IMDS",
    Esql.executed_command RLIKE """.*(computeMetadata/v1|metadata\.google\.internal).*""", "GCP_METADATA",
    Esql.executed_command RLIKE """.*metadata/identity/oauth2/token.*""", "AZURE_IMDS",
    "UNKNOWN"
  )
| EVAL Esql.is_credential_theft = CASE(
    Esql.executed_command RLIKE """.*(security-credentials|/api/token|oauth2/token|service-accounts/.*/token).*""", "yes",
    "recon"
  )
| KEEP *

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Cloud Instance Metadata API
- ID: T1552.005
- Reference URL: https://attack.mitre.org/techniques/T1552/005/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Container Administration Command
- ID: T1609
- Reference URL: https://attack.mitre.org/techniques/T1609/

« Kubernetes Pod Creation Using Common Debug or Base Images Kubernetes Pod Exec Potential Reverse Shell »