Skip to main content

EKS Audit Log Integration Using CloudFormation

tip

You must enable audit logging on the clusters that you want to integrate.

To complete the integration, you must:

  1. Create an integration in the Lacework Console.
  2. Instrument each EKS cluster for the EKS integration created in Step 1.
    • Enable EKS logs
    • Integrate EKS clusters

Prerequisite

Audit logging must be enabled on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'
  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts > Add New.
  3. Click Amazon Web Services and select EKS Audit Log.
  4. Click Next.
  5. Click CloudFormation.
  6. Follow the steps in the next section.

Create an Integration in the Lacework Console

  1. Click Run CloudFormation Template.
  2. Review the Specify template page and click Next. The Lacework script populates the Amazon S3 URL for you.
  3. Review the Specify stack details page and click Next. The Lacework script populates ExternalID and ResourceNamePrefix.
  4. On the Configure stack options page, click Next.
  5. Verify the information on the Review page and click Create stack.
note

If you have multiple accounts with distributed ownership, you may want to use the Download CloudFormation Template option instead:

  1. Click Download CloudFormation Template.
  2. Log in to your AWS account.
  3. Select the CloudFormation service and click Create stack.
  4. For Template source, click Upload a template file.
  5. Upload the Lacework template and click Next.
  6. Review the Specify stack details page and click Next. The Lacework script populates ExternalID and ResourceNamePrefix.
  7. On the Configure stack options page, click Next.
  8. Verify the information on the Review page and click Create stack.

Instrument EKS Clusters

Instrument each EKS cluster for the EKS integration you just created.

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate. CloudFormation does not currently support this action.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

After enabling audit logging, follow these steps:

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Run CloudFormation script. If you are already logged in to your AWS account, this redirects you to the AWS Create stack > Specify template page.
  4. Review the Specify template page and click Next. The Lacework script populates the Amazon S3 URL for you.
  5. On the Specify stack details page, provide the EKSClusterName. The script populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
  6. On the Configure stack options page, click Next.
  7. Verify the information on the Review page and click Create stack.
note

If you have multiple AWS accounts with distributed ownership, you may want to use the Download CloudFormation script option instead.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Download CloudFormation script.
  4. Log in to your AWS account if you are not already logged in.
  5. Select the CloudFormation service and click Create stack.
  6. For Template source, click Upload a template file.
  7. Upload the Lacework CloudFormation script and click Next.
  8. On the Specify stack details page, provide the EKSClusterName. The script populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
  9. On the Configure stack options page, click Next.
  10. Verify the information on the Review page and click Create stack.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

  • Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
  • Logs are created every 5 minutes.