lacework-global-315
2.1.1 Enable audit Logs (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
Control plane logs provide visibility into operation of the EKS Control plane component systems. The API server audit logs record all accepted and rejected requests in the cluster. When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch Log Group for persistence.
Rationale
Audit logs enable visibility into all API server requests from authentic and anonymous sources. Stored log data can be analysed manually or with tools to identify and understand anomalous or negative activity and lead to intelligent remediations.
Impact
Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes. S3 lifecycle features can be used to manage the accumulation and management of logs over time.
See the following AWS resource for more information on these features: http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
Audit
From Console:
- For each EKS Cluster in each region;
- Go to 'Amazon EKS' > 'Clusters' > 'CLUSTER_NAME' > 'Configuration' > 'Logging'.
- This will show the control plane logging configuration:
API server: Enabled / Disabled
Audit: Enabled / Disabled
Authenticator: Enabled / Disabled
Controller manager: Enabled / Disabled
Scheduler: Enabled / Disabled
- Ensure that all options are set to 'Enabled'.
From CLI:
# For each EKS Cluster in each region;
aws eks describe-cluster --name '${CLUSTER_NAME}' --query 'cluster.logging.clusterLogging' --region '${REGION_CODE}'
Remediation
From Console:
For each EKS Cluster in 'Amazon EKS' > 'Clusters' in each region;
Go to 'Configuration' > 'Logging'.
Click 'Manage logging'.
Ensure that all options (API server, Audit, Authenticator, Controller manager, Scheduler) are toggled to 'Enabled'.
API server: Enabled
Audit: Enabled
Authenticator: Enabled
Controller manager: Enabled
Scheduler: EnabledClick 'Save Changes'.
From CLI: For each EKS Cluster in each region:
aws eks update-cluster-config \
--region '${REGION_CODE}' \
--name '${CLUSTER_NAME}' \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
References
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
https://aws.github.io/aws-eks-best-practices/detective/
https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
https://docs.aws.amazon.com/eks/latest/userguide/logging-using-cloudtrail.html