Audit changes to the aws-auth ConfigMap
Monitor increases in 403 Forbidden and 401 Unauthorized response codes (already have Log Insights queries in the doc. Need to add timeframes)
Anonymous calls to the API server
alert when there's an increate in 403 Forbidden responses, show attributes host, sourceIPs, and k8s_user.username
misconfigured RBAC policies, unusual API calls
401s: identify authentication issues (e.g., expired certificates or malformed tokens)
Audit changes to the aws-auth ConfigMap Monitor increases in 403 Forbidden and 401 Unauthorized response codes (already have Log Insights queries in the doc. Need to add timeframes) Anonymous calls to the API server alert when there's an increate in 403 Forbidden responses, show attributes host, sourceIPs, and k8s_user.username misconfigured RBAC policies, unusual API calls 401s: identify authentication issues (e.g., expired certificates or malformed tokens)