EKS Audit Log Integration Overview
Lacework provides the ability to monitor and baseline Kubernetes runtime security audit logs. By utilizing exported Kubernetes security-related audit log events, this Lacework integration allows you to understand critical security events within Kubernetes clusters.
Lacework offers the following methods when integrating Lacework with EKS audit logs:
- Terraform
Terraform is recommended when integrating multiple clusters across multiple regions because you only need to configure and run Terraform once instead of one template per cluster. - CloudFormation (run through the AWS Console or the AWS CLI)
Prerequisite
All integration methods require audit logging to be enabled on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:
aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'
Integrate Using Terraform
Lacework supports running Lacework Terraform modules to integrate AWS EKS Audit Logs with Lacework using any host supported by Terraform. This may be the easiest method to use when integrating multiple clusters across multiple regions because you only need to configure and run Terraform once instead of one template per cluster.
For details about using Terraform to create an integration, go to AWS EKS Audit Log Integration with Terraform.
Integrate Using CloudFormation
To configure Kubernetes runtime security monitoring on Lacework, you must:
- Create an integration in the Lacework Console and run the CloudFormation template file, which allows Lacework to track audit logs.
- Instrument each EKS cluster for the EKS integration created. Run the CloudFormation subscription filter template file to set up your resources to send logs from EKS log groups to Lacework.
Step 1 Breakdown
Creating an integration allows Lacework to track audit logs from all EKS clusters that belong to your AWS account. If you have multiple AWS accounts, you must add multiple EKS audit log integrations in Lacework, one for each AWS account you have.
You can run or obtain the CloudFormation template file from the Lacework Console. You can also download the template file using the API. For more information, go to Download EKS Audit CloudFormation Template File.
Running the CloudFormation template accomplishes the following:
- Creates a Kinesis Data Firehose.
- Firehose delivery role with permissions to post to the S3 bucket.
- Sets the S3 destination.
- Creates an S3 bucket.
- Creates an SNS topic.
- Creates a cross-account IAM role with permissions that Lacework assumes to make API calls.
- Updates the SNS policy to allow sending notifications to the Lacework SQS queue and to allow the Lacework AWS account to subscribe.
- Creates a subscription to the provided SNS topic and validates that there are no access issues when reading from the S3 bucket.
note
- Multiple EKS clusters can belong to a single Lacework EKS audit log integration.
- One SNS subscription is created for each EKS audit log integration (for example, for each AWS account).
If you have EKS clusters in multiple AWS regions, Lacework recommends creating multiple EKS audit log integrations, one for each AWS account per region.
Step 2 Breakdown
Instrumenting EKS clusters creates and sets up the EKS clusters as well as any other AWS resources required to ingest the logs from the EKS log groups to Lacework. You must also enable audit logging for the EKS cluster in the AWS account.
Lacework provides a CloudFormation subscription filter template file as a simple way to instrument EKS clusters. You can run or obtain the template file from the Lacework Console. You can also download the file using the API (Download EKS Audit CloudFormation Subscription Filter Template File).
The CloudFormation template creates a subscription filter on the EKS cluster’s CloudWatch log group that includes the following:
- CloudWatch role with permissions to post to Kinesis Firehose.
- Filter pattern for audit logs:All of the specified
"{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }"
requestURI
that match are sent to the EKS service.