Ensure that AWS EKS Cluster control plane logging is enabled
Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters. You can select the exact log types you need, and logs are sent as log streams to a group for each Amazon EKS cluster in CloudWatch.
Risk Level: Low
Cloud Entity: EKS Cluster
CloudGuard Rule ID: D9.AWS.LOG.18
Category: Compute
GSL LOGIC
EksCluster should have logging.clusterLogging with [ enabled=true ]
REMEDIATION
From Portal
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon EKS console.
- To display your cluster information, select the cluster's name.
- Navigate to Logging and click Update.
- For each individual log stream, select if the log type should be Enabled.
- Click Update.
From TF
resource "aws_eks_cluster" "example" {
name_prefix= example_name
role_arn = aws_iam_role_arn
vpc_config {
endpoint_public_access = false
subnet_ids = var.subnet_ids
}
tags = {
pike="permissions"
}
encryption_config {
resources = ["secrets"]
}
+ enabled_cluster_log_types = ["api", "audit", "authenticator","controllerManager","scheduler"]
}
From Command Line
Use following command to enable control plane logs with the AWS CLI
aws eks update-cluster-config --region REGION_NAME --name CLUSTER_NAME --logging CLUSTER_LOGGING_TYPE
Note: --logging parameter defines the type of logging enabled for that cluster. For more info, follow the References
section.
References
- https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/update-cluster-config.html
EKS Cluster
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
Updated over 1 year ago