Skip to main content


2.1.1 Enable audit Logs (Automated)


This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 1


Control plane logs provide visibility into operation of the EKS Control plane component systems. The API server audit logs record all accepted and rejected requests in the cluster. When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch Log Group for persistence.


Audit logs enable visibility into all API server requests from authentic and anonymous sources. Stored log data can be analysed manually or with tools to identify and understand anomalous or negative activity and lead to intelligent remediations.


Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes. S3 lifecycle features can be used to manage the accumulation and management of logs over time.

See the following AWS resource for more information on these features:


From Console:

  1. For each EKS Cluster in each region;
  2. Go to 'Amazon EKS' > 'Clusters' > 'CLUSTER_NAME' > 'Configuration' > 'Logging'.
  3. This will show the control plane logging configuration:
API server: Enabled / Disabled 
Audit: Enabled / Disabled
Authenticator: Enabled / Disabled
Controller manager: Enabled / Disabled
Scheduler: Enabled / Disabled
  1. Ensure that all options are set to 'Enabled'.

From CLI:

# For each EKS Cluster in each region;
aws eks describe-cluster --name '${CLUSTER_NAME}' --query 'cluster.logging.clusterLogging' --region '${REGION_CODE}'


From Console:

  1. For each EKS Cluster in 'Amazon EKS' > 'Clusters' in each region;

  2. Go to 'Configuration' > 'Logging'.

  3. Click 'Manage logging'.

  4. Ensure that all options (API server, Audit, Authenticator, Controller manager, Scheduler) are toggled to 'Enabled'.

    API server: Enabled
    Audit: Enabled
    Authenticator: Enabled
    Controller manager: Enabled
    Scheduler: Enabled
  5. Click 'Save Changes'.

From CLI: For each EKS Cluster in each region:

aws eks update-cluster-config \
--region '${REGION_CODE}' \
--name '${CLUSTER_NAME}' \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'