# AWS EKS Cluster Created or Deleted

Identifies when an EKS cluster is created or deleted.

References:
* https://any-api.com/amazonaws_com/eks/docs/API_Description

False Positives:
* EKS Cluster being created or deleted may be performed by a system administrator.
* Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
* EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

## Detection Query
Execute the following query to find alerts related to this rule.

In [None]:
%ingest.source_type="aws:cloudtrail"
eventSource="eks.amazonaws.com"
eventName=(CreateCluster DeleteCluster)
| stats
min(@scnr.datetime) as firstTime,
max(@scnr.datetime) as lastTime,
count() as eventCount
by
userIdentity.arn,
eventSource,
eventName,
awsRegion

## Investigation Steps
1. **Identify the Principal**: Who performed the action?
2. **Review Context**: What else did this principal do?
3. **Check Permissions**: Did the principal have legitimate reasons for this action?
4. **Verify Resource**: Is the resource critical or sensitive?

In [None]:
%ingest.source_type:aws:cloudtrail
userIdentity.arn: <PRINCIPAL_ARN>
| count(eventName) by eventName