Create an EKS Audit Log Integration Manually

tip

You must enable audit logging on the clusters that you want to integrate.

To complete the integration, you must:

1. Create an integration in the Lacework Console.
2. Instrument each EKS cluster for the EKS integration created in Step 1.
   • Enable EKS logs
   • Integrate EKS clusters

Prerequisite

Audit logging must be enabled on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Navigate to EKS Audit Log Integration

1. Log in to the Lacework Console.
2. Go to Settings > Integrations > Cloud accounts.
3. Click + Add New.
4. Click Amazon Web Services and select EKS Audit Log.
5. Click Next.
6. Click Manual Configuration.
7. Follow the steps in the next section.

Create an Integration in the Lacework Console

Ensure you have completed the preparatory steps described in AWS Integration Prerequisites.

1. For Name, enter a unique name that displays in the Lacework Console.
2. For External ID, enter the AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource.
3. For Role ARN, enter the ARN of the cross-account role that Lacework uses to access your AWS resources.
4. For SNS ARN, enter the ARN of the topic that Lacework uses to communicate with your AWS resources.
5. Click Save to finish the AWS integration and save your onboarding progress.

Instrument EKS Clusters

Instrument each EKS cluster for the EKS integration you just created.

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

After enabling audit logging, follow these steps:

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
2. Click the EKS Audit Log integration.
3. Click Run CloudFormation script. If you are already logged in to your AWS account, this redirects you to the Specify template page.
4. Review the Specify template page and click Next. The Lacework script populates the Amazon S3 URL for you.
5. On the Specify stack details page, provide the EKSClusterName. The script populates the FirehoseARN. If desired, update the ResourceNamePrefix if desired. When finished, click Next.
6. On the Configure stack options page, click Next.
7. Verify the information on the Review page and click Create stack.

note

If you have multiple AWS accounts with distributed ownership, you may want to use the Download CloudFormation script option instead.

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
2. Click the EKS Audit Log integration.
3. Click Download CloudFormation script.
4. Log in to your AWS account if you are not already logged in.
5. Select the CloudFormation service and click Create stack.
6. For Template source, click Upload a template file.
7. Upload the Lacework CloudFormation script and click Next.
8. On the Specify stack details page, provide the EKSClusterName. The script populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
9. On the Configure stack options page, click Next.
10. Verify the information on the Review page and click Create stack.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

• Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
• Logs are created every 5 minutes.