Kubernetes etcd Snapshot

Cloud & SaaSCloud InfrastructureKubernetesCloud Control PlaneDisk Image

Location

etcd data directory on control-plane nodes (/var/lib/etcd) or managed-equivalent snapshot (e.g., AKS etcd backup)

Description

Point-in-time snapshot of the etcd key-value store that holds the full desired-state and recent-history of every Kubernetes object in the cluster: pods, services, secrets, RBAC policies, CRDs, and their metadata.

Forensic Value

An etcd snapshot captures the exact cluster state at a moment in time, including secrets and configurations attackers may have modified. Used for control-plane forensics where runtime objects have been altered or deleted, and as a point-in-time anchor for reconstructing what the attacker saw and touched.

Tools Required

etcdctlcloud-provider backup tooling

Collection Commands

etcdctl

ETCDCTL_API=3 etcdctl snapshot save /tmp/etcd-snapshot.db --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key

etcdctl (inspect)

ETCDCTL_API=3 etcdctl snapshot status /tmp/etcd-snapshot.db --write-out=table

Collection Constraints

•Managed clusters (EKS, GKE, AKS) do not provide direct etcd access; backup features vary per provider
•etcd snapshot contains secrets in plaintext unless encryption-at-rest was configured; treat the snapshot as top-secret evidence

MITRE ATT&CK Techniques

T1552.007T1613

References

etcd backup and restore

Used in Procedures

Capture Cluster etcd Snapshot for Control-Plane Forensics

preserve

Related Blockers

Ephemeral Container Terminated Before Evidence Capture

The compromised container was terminated, evicted, or replaced (pod restart, autoscaling event, deployment rollout) before forensic evidence could be collected. The container filesystem and local state are gone; response must pivot to control-plane audit, node-level artifacts, and image-registry provenance.

Acquisition Methods

Kubernetes etcd Snapshot Capture

linux — cloud