Ensure that AWS EKS Cluster control plane logging is enabled

Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters. You can select the exact log types you need, and logs are sent as log streams to a group for each Amazon EKS cluster in CloudWatch.

Risk Level: Low
Cloud Entity: EKS Cluster
CloudGuard Rule ID: D9.AWS.LOG.18
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EksCluster should have logging.clusterLogging with [ enabled=true ]

REMEDIATION

From Portal

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EKS console.
  3. To display your cluster information, select the cluster's name.
  4. Navigate to Logging and click Update.
  5. For each individual log stream, select if the log type should be Enabled.
  6. Click Update.

From TF

resource "aws_eks_cluster" "example" {
	name_prefix= example_name
	role_arn = aws_iam_role_arn
	vpc_config {
		endpoint_public_access = false
		subnet_ids = var.subnet_ids
	}
	
	tags = {
		pike="permissions"
	}
	encryption_config {
		resources = ["secrets"]
	}
	+  enabled_cluster_log_types = ["api", "audit", "authenticator","controllerManager","scheduler"]
}

From Command Line
Use following command to enable control plane logs with the AWS CLI

aws eks update-cluster-config --region REGION_NAME --name CLUSTER_NAME --logging CLUSTER_LOGGING_TYPE

Note: --logging parameter defines the type of logging enabled for that cluster. For more info, follow the References
section.

References

  1. https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/update-cluster-config.html

EKS Cluster

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset