Skip to main content

EKS Audit Log Integration Using the AWS CLI

tip

You must enable audit logging on the clusters that you want to integrate.

To complete the integration, you must:

  1. Create an integration in the Lacework Console.
  2. Instrument each EKS cluster for the EKS integration created in Step 1.
    • Enable EKS logs
    • Integrate EKS clusters

Prerequisite

Audit logging must be enabled on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'
  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts > Add New.
  3. Click Amazon Web Services and select EKS Audit Log.
  4. Click Next.
  5. Click CloudFormation.
  6. Follow the steps in the next section.

Create an Integration in the Lacework Console

  1. Click Download CloudFormation Template.
  2. Before you run the script, open it and replace the following values with the indicated information:
    • %awsAcnt - 12 digit AWS Account ID that will be integrated.
    • %extid - External ID.
    • %acnt - Resource name prefix.
  3. Run the script using the following command and input parameters:
    aws cloudformation create-stack \
    --stack-name <stack-name> \
    --template-body file://<downloaded-script-location> \
    --capabilities CAPABILITY_NAMED_IAM
  4. Collect the FirehoseARN from the output. It is used in the following steps.

Instrument EKS Clusters

Instrument each EKS cluster for the EKS integration you just created.

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate. CloudFormation does not currently support this action.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

After enabling audit logging, follow these steps:

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration. This opens the integration’s details.
  3. Click Download CloudFormation script.
  4. Before you run the script, open it and replace the %acnt value with the resource name prefix you want to use.
  5. Run the script using the following command and input parameters:
    aws cloudformation create-stack\
    --stack-name <stack-name> \
    --template-body file://<downloaded-script-location> \
    --capabilities CAPABILITY_NAMED_IAM \
    --parameters ParameterKey=EKSClusterName,ParameterValue=<eks-cluster-name> ParameterKey=FirehoseARN,ParameterValue=<firehose-arn>
    Use the following values:
    • EKSClusterName - Name of the EKS cluster.
    • FirehoseARN - Output of running the script when creating the integration.
      If you are instrumenting other clusters at a later date, you can find this ARN either by going to CloudFormation in the AWS Console and viewing Parameters for your EKS Audit stack or programmatically you can call the AWS API endpoint DescribeStacks and use OutputValue for the OutputKey LaceworkEKSFirehoseArn.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

  • Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
  • Logs are created every 5 minutes.