2.1.1 - Enable audit Logs (Automated)

Views:

Profile applicability: Level 1 - Cluster / Control Plane

Control plane logs provide visibility into operation of the EKS Control plane component systems. The API server audit logs record all accepted and rejected requests in the cluster. When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch Log Group for persistence.

Audit logs enable visibility into all API server requests from authentic and anonymous sources. Stored log data can be analyzed manually or with tools to identify and understand anomalous or negative activity and lead to intelligent remediations.

Note

Control Plane Logging is disabled by default.

API server: Disabled
Audit: Disabled
Authenticator: Disabled
Controller manager: Disabled
Scheduler: Disabled

Impact

Enabling control plane logs, including API server audit logs for Amazon EKS clusters, significantly strengthens our security posture by providing detailed visibility into all API requests, thereby reducing our attack surface.

By exporting these logs to a CloudWatch Log Group, we ensure persistent storage and facilitate both manual and automated analysis to quickly identify and remediate anomalous activities.

While this configuration might slightly impact usability or performance due to the overhead of logging, the enhanced security and compliance benefits far outweigh these drawbacks, making it a critical component of our security strategy.

Audit

From Console:

For each EKS Cluster in each region.
Go to Amazon EKS → Clusters → CLUSTER_NAME → Configuration → Logging.

This will show the control plane logging configuration:

API server: Enabled / Disabled 
Audit: Enabled / Disabled 
Authenticator: Enabled / Disabled 
Controller manager: Enabled / Disabled 
Scheduler: Enabled / Disabled

Ensure that all options are set to Enabled.

From CLI:

# For each EKS Cluster in each region; 
export CLUSTER_NAME=<your cluster name>
export REGION_CODE=<your region_code>
aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION_CODE} --query 'cluster.logging.clusterLogging'

Remediation

From Console:

For each EKS Cluster in each region.
Go to Amazon EKS → Clusters → Configuration → Logging.
Click Manage logging.

Ensure that all options are toggled to Enabled.

# For each EKS Cluster in each region;
aws eks update-cluster-config \
    --region '${REGION_CODE}' \
    --name '${CLUSTER_NAME}' \
    --logging
'{"clusterLogging":[{"types":["api","audit","authenticator","controllerManage
r","scheduler"],"enabled":true}]}'

Click Save Changes.

From CLI:

# For each EKS Cluster in each region; aws eks update-cluster-config \
--region '${REGION_CODE}' \
--name '${CLUSTER_NAME}' \
--logging
'{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'