Skip to main content

lacework-global-315

2.1.1 Enable audit Logs (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 1

Description

Control plane logs provide visibility into operation of the EKS Control plane component systems. The API server audit logs record all accepted and rejected requests in the cluster. When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch Log Group for persistence.

Rationale

Audit logs enable visibility into all API server requests from authentic and anonymous sources. Stored log data can be analysed manually or with tools to identify and understand anomalous or negative activity and lead to intelligent remediations.

Impact

Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes. S3 lifecycle features can be used to manage the accumulation and management of logs over time.

See the following AWS resource for more information on these features: http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

Audit

From Console:

  1. For each EKS Cluster in each region;
  2. Go to 'Amazon EKS' > 'Clusters' > 'CLUSTER_NAME' > 'Configuration' > 'Logging'.
  3. This will show the control plane logging configuration:
API server: Enabled / Disabled 
Audit: Enabled / Disabled
Authenticator: Enabled / Disabled
Controller manager: Enabled / Disabled
Scheduler: Enabled / Disabled
  1. Ensure that all options are set to 'Enabled'.

From CLI:

# For each EKS Cluster in each region;
aws eks describe-cluster --name '${CLUSTER_NAME}' --query 'cluster.logging.clusterLogging' --region '${REGION_CODE}'

Remediation

From Console:

  1. For each EKS Cluster in 'Amazon EKS' > 'Clusters' in each region;

  2. Go to 'Configuration' > 'Logging'.

  3. Click 'Manage logging'.

  4. Ensure that all options (API server, Audit, Authenticator, Controller manager, Scheduler) are toggled to 'Enabled'.

    API server: Enabled
    Audit: Enabled
    Authenticator: Enabled
    Controller manager: Enabled
    Scheduler: Enabled
  5. Click 'Save Changes'.

From CLI: For each EKS Cluster in each region:

aws eks update-cluster-config \
--region '${REGION_CODE}' \
--name '${CLUSTER_NAME}' \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

References

https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
https://aws.github.io/aws-eks-best-practices/detective/
https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
https://docs.aws.amazon.com/eks/latest/userguide/logging-using-cloudtrail.html