lacework-global-315
Enable audit Logs (Automated)
This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
Control plane logs provide visibility into operation of the Elastic Kubernetes Service (EKS) Control plane component systems. The API server audit logs record all accepted and rejected requests in the cluster. Enabling via EKS Configuration exports the control plane logs for a cluster to a CloudWatch Log Group for persistence.
Rationale
Audit logs enable visibility into all API server requests from authentic and anonymous sources. Stored log data can be analysed manually or with tools to identify and understand anomalous or negative activity and lead to intelligent remediations.
Impact
Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes. S3 lifecycle features can be used to manage the accumulation and management of logs over time.
See the following AWS resource for more information on these features: http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
Audit
From Console:
- For each EKS Cluster in each region;
- Go to 'Amazon EKS' > 'Clusters' > 'CLUSTER_NAME' > 'Configuration' > 'Logging'.
- This will show the control plane logging configuration:
API server: Enabled / Disabled
Audit: Enabled / Disabled
Authenticator: Enabled / Disabled
Controller manager: Enabled / Disabled
Scheduler: Enabled / Disabled
- Ensure that all options are set to 'Enabled'.
From CLI:
# For each EKS Cluster in each region;
aws eks describe-cluster --name '${CLUSTER_NAME}' --query 'cluster.logging.clusterLogging' --region '${REGION_CODE}'
Remediation
From Console:
- For each EKS Cluster in 'Amazon EKS' > 'Clusters' in each region:
- Go to 'Configuration' > 'Logging'.
- Click 'Manage logging'.
- Toggle all options (API server, Audit, Authenticator, Controller manager, Scheduler) to 'Enabled'.
- Click 'Save Changes'.
From CLI: For each EKS Cluster in each region:
aws eks update-cluster-config \
--region '${REGION_CODE}' \
--name '${cluster_name}' \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
References
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
https://aws.github.io/aws-eks-best-practices/detective/
https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
https://docs.aws.amazon.com/eks/latest/userguide/logging-using-cloudtrail.html