etcd Snapshot Exposure

etcd-snapshot-exposure

Attacker accesses etcd snapshots or backups which contain complete cluster state including all secrets, ConfigMaps, service account tokens, and RBAC configurations

Information Disclosure

MITRE ATT&CK techniques

ID	Name	Tactic
T1530	Data from Cloud Storage Object	Collection
T1552	Unsecured Credentials	Credential Access

Common Weakness Enumeration

CWE-200
CWE-522

Mitigating controls

ctrl-etcdsnap-1: Encrypt etcd snapshots at rest using strong encryption
ctrl-etcdsnap-2: Store snapshots in access-controlled storage with audit logging
ctrl-etcdsnap-3: Implement backup retention policies and secure deletion
ctrl-etcdsnap-4: Use separate credentials for backup operations with minimal permissions
ctrl-etcdsnap-5: Monitor access to snapshot storage locations

References

https://etcd.io/docs/v3.5/op-guide/recovery/
https://www.cisecurity.org/benchmark/kubernetes