Skip to main content

EKS Audit Log Integration Using CloudFormation

Overview

Configuring Kubernetes runtime security monitoring on Lacework involves the following steps:

  • Step 1: Create an integration in the Lacework Console and run the CloudFormation template file, which allows Lacework to track audit logs.
  • Step 2: Instrument each EKS cluster for the EKS integration created. Run the CloudFormation subscription filter template file to set up your resources to send logs from EKS log groups to Lacework.

Step 1 Overview

Creating an integration allows Lacework to track audit logs from all EKS clusters that belong to your AWS account. If you have multiple AWS accounts, you must add multiple EKS audit log integrations in Lacework, one for each AWS account you have.

You can run or obtain the CloudFormation template file from the Lacework Console. You can also download the template file using the API. For more information, go to Download EKS Audit CloudFormation Template File.

Running the CloudFormation template accomplishes the following:

  • Creates a Kinesis Data Firehose.
    • Firehose delivery role with permissions to post to the S3 bucket.
    • Sets the S3 destination.
  • Creates an S3 bucket.
  • Creates an SNS topic.
  • Creates a cross-account IAM role with permissions that Lacework assumes to make API calls.
  • Updates the SNS policy to allow sending notifications to the Lacework SQS queue and to allow the Lacework AWS account to subscribe.
  • Creates a subscription to the provided SNS topic and validates that there are no access issues when reading from the S3 bucket.
note
  • Multiple EKS clusters can belong to a single Lacework EKS audit log integration.
  • One SNS subscription is created for each EKS audit log integration (for example, for each AWS account).

If you have EKS clusters in multiple AWS regions, Lacework recommends creating multiple EKS audit log integrations, one for each AWS account per region.

Step 2 Overview

Instrumenting EKS clusters creates and sets up the EKS clusters as well as any other AWS resources required to ingest the logs from the EKS log groups to Lacework. You must also enable audit logging for the EKS cluster in the AWS account.

Lacework provides a CloudFormation subscription filter template file as a simple way to instrument EKS clusters. You can run or obtain the template file from the Lacework Console. You can also download the file using the API (Download EKS Audit CloudFormation Subscription Filter Template File).

The CloudFormation template creates a subscription filter on the EKS cluster’s CloudWatch log group that includes the following:

  • CloudWatch role with permissions to post to Kinesis Firehose.
  • Filter pattern for audit logs:
    "{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }"
    All of the specified requestURI that match are sent to the EKS service.

Prerequisites

  • Ensure that you are deploying the integration to a supported AWS region.

  • Enable audit logging on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

    aws eks --region <region> update-cluster-config --name <cluster_name> \
    --logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Create an Integration in the Lacework Console

Completing the steps in this section runs the first of two CloudFormation templates. You will run the second when you instrument EKS clusters.

To create the integration, you can either Run the CloudFormation template or Download the CloudFormation template. If you have multiple accounts with distributed ownership, you may want to use the Download option.

Follow the steps for your chosen option.

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts.
  3. Click + Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Select EKS Audit Log.
  7. Click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page.
  8. Review the Create stack page and click Next. The template populates the Amazon S3 URL for you.
  9. Review the Specify stack details page and click Next. The template populates ResourceNamePrefix.
  10. On the Configure stack options page, click Next.
  11. Verify the information on the Review page and click Submit.

Instrument EKS Clusters

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate. The CloudFormation template does not currently support this action.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

Completing the steps in this section instruments each EKS cluster in the EKS integration you just created by running the second of two CloudFormation templates. You ran the first when you created the integration.

To instrument EKS clusters, you can either Run the CloudFormation template or Download the CloudFormation template. If you have multiple accounts with distributed ownership, you may want to use the Download option.

Follow the steps for your chosen option.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page.
  4. Review the Create stack page and click Next. The template populates theAmazon S3 URL for you.
  5. On the Specify stack details page, provide the EKSClusterName. The template populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
  6. On the Configure stack options page, click Next.
  7. Verify the information on the Review page and click Submit.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

  • Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
  • Logs are created every 5 minutes.