PRODUCTS
ShadowPlex Advanced Threat Defense
Deception for early detection of cyber threats with precision and speed
ShadowPlex Identity Protection
Visibility of identity attack surface and comprehensive detection of identity threats
ShadowPlex Cloud Security
Multi-cloud Security Built on Enterprise-scale honeytokens
ShadowPlex Threat Intel
Targeted Threat Intel Providing Preemptive Cyber Security
ShadowPlex Preemptive Cybersecurity Platform
Comprehensive and Award-winning Distributed Deception Platform
What is Preemptive Cybersecurity?
Preemptive Cybersecurity detects and diverts attacks.
SOLUTIONS
Technology
Active Defense
Active Directory Protection
Cloud Detection and Response (CDR)
Early Threat Detection
Honeytokens for CrowdStrike
Identity Threat Detection & Response
Insider Threats
OT Security
Ransomware
Red Teaming
Threat Hunting
Zero Trust
SOLUTIONS
Industry
Healthcare
Financial Services
Public Sector
RESOURCES
Blog
Events
Cyber Deception Glossary
RESOURCE CENTER
Analyst Reports
Case Studies
Data Sheets
E-Books
Solution Briefs
Webinars
Whitepapers
COMPANY
About Acalvio
Leadership
Investors
Press Center
In The News
Why Preemptive Cybersecurity
Contact
PARTNERS
Strategic Partners
Technology Integrations
Partner Program
Become a Partner
Blog Threat Hunting Proactive EKS Security: Detecting Threats with Honeytokens
HarshaVardhan Barla
|
July 9, 2025

Proactive EKS Security: Detecting Threats with Honeytokens

LLMNR poisoning

Amazon EKS, a managed Kubernetes service, simplifies containerized application deployment, but it introduces unique security risks due to its deep AWS integration. Misconfigured resources like overly permissive roles, exposed ConfigMaps, or insecure service accounts can leak sensitive data and enable lateral movement. EKS clusters are high-value targets, often running production workloads with access to powerful IAM roles via IRSA. If compromised, attackers can pivot into broader AWS services like S3 or RDS, making EKS not just an entry point, but a critical target for exploitation.

For example, In August 2024, Eager Enigma Enterprises suffered a security breach where a production EKS cluster was breached through a command injection flaw in a public web app. The attacker gained container access, extracted AWS credentials from a misconfigured secret, and launched high-cost EC2 instances for crypto mining, leading to a full workload compromise. [1]

These attacks need to be actively monitored within the EKS environment. Common strategies include Kubernetes audit logs, which provide detailed visibility into API activity like get, list, or patch operations, though they require external tools that are not enabled by default. RBAC hardening and Pod Security Policies enforce the least privilege but are preventive in nature and can be complex to configure. Runtime threat detection tools such as Falco, GuardDuty, and Sysdig offer real-time insights into system behavior, but they can be noisy and resource-intensive. [2]

In contrast, honeytokens provide a lightweight and active detection layer. These are intentionally crafted fake AWS resources that are designed to trigger alerts upon interaction. Since legitimate workloads should never touch them, any access is a high-confidence indicator of compromise. Honeytokens integrate seamlessly into the AWS environment, turning the attacker’s reconnaissance and lateral movement into your early warning system, enabling faster detection before critical resources are compromised. The deceptions are made attractive for the attackers to perform exploitation.

AWS recommends the use of honeytokens as they behave like real resources but hold no real data or functionality. These honey tokens are completely isolated from production systems, ensuring that any interaction with them reveals malicious intent without risking real assets. They are cost effectiv,e and they can be monitored with AWS native loggers. [3]

These Honeytokens are instrumented to detect unauthorized access in real-time by monitoring for any interaction, such as reading or modifying them, without exposing actual resources. When a honeytoken is triggered, it serves as a high-confidence indicator of compromise, allowing immediate action to contain the threat and prevent further lateral movement within the environment.

While traditional EKS security measures like RBAC, audit logging, and runtime threat detection are essential, they often react after damage has begun. The honeytokens will shift this paradigm by offering an active, high-fidelity detection layer that triggers alerts the moment an attacker engages in reconnaissance. By strategically placing these honeytokens in the EKS environment, we can turn the passive infrastructure into an active defense system.

To learn more about this active defense for AWS EKS security, please read our white paper.

References:

  1. https://medium.com/@adammesser_51095/cloud-digital-forensics-and-incident-response-elastic-kubernetes-service-takeover-leads-to-9553c5424df5
  2. https://docs.aws.amazon.com/eks/latest/best-practices/auditing-and-logging.html
  3. https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources
Definitive Guide to Identity Protection
Get the E-Book
Gartner names Acalvio Tech Innovator
Learn More
Acalvio, the Ultimate Preemptive Cybersecurity Solution.
Schedule a Demo
Acalvio is the leader in autonomous cyber deception technologies, arming enterprises against sophisticated cyber threats including APTs, insider threats and ransomware. Its AI-powered Active Defense Platform, backed by 25 patents, enables advanced threat defense across IT, OT, and Cloud environments. Additionally, the Identity Threat Detection and Response (ITDR) solutions with Honeytokens enable Zero Trust security models. Based in Silicon Valley, Acalvio serves midsize to Fortune 500 companies and government agencies, offering flexible deployment from Cloud, on-premises, or through managed service providers.
© Acalvio Technologies, Inc. All rights reserved.