Amazon EKS Authenticator Logs

Cloud & SaaSAuthentication & AccessAWSAmazon EKSKubernetesCloud Control PlaneSIEM / Log Aggregator

Location

CloudWatch Logs group /aws/eks/<cluster>/cluster log type: authenticator

Description

Authenticator logs produced by Amazon EKS when enabled, showing how IAM principals were mapped into Kubernetes users and groups during cluster authentication decisions.

Forensic Value

Authenticator logs bridge the gap between AWS identities and Kubernetes RBAC by showing which IAM role, user, or federated identity actually authenticated to the cluster. They are critical for tracing abused workforce identities, workload roles, or external identities that successfully entered the cluster before performing administrative actions.

Tools Required

AWS ConsoleAWS CLICloudWatch Logs Insights

Collection Commands

AWS CLI

aws logs filter-log-events --log-group-name "/aws/eks/<cluster-name>/cluster" --filter-pattern ""authenticator"" --start-time 1709251200000 --end-time 1709856000000 > eks_authenticator_logs.json

CloudWatch Logs Insights

fields @timestamp, @message | filter @logStream like /authenticator/ | sort @timestamp desc | limit 200

Collection Constraints

•Authenticator logs exist only when that log type was enabled for the cluster and retained in CloudWatch.
•They map IAM identities into Kubernetes access decisions but do not show the full downstream workload behavior by themselves.

MITRE ATT&CK Techniques

T1078.004T1550.001T1098

References

Amazon EKS control plane logs

Acquisition Methods

Amazon EKS Control Plane Log Export

linux — cloud