drop eks control-plane audit log · parse api events
flags impersonated calls · anonymous auth · kube-system secret access · timeline + actor rollup
heuristic screener · client/export format varies by cluster version — not definitive proof