Views:
Profile applicability: Level 1 - Cluster / Control Plane
This recommendation emphasizes the importance of enabling audit logs for the EKS control plane to track all API server requests, whether they are accepted or rejected. Audit logs provide crucial visibility into the API server requests made by both authenticated and anonymous sources.
Note
Note
By default, all control plane logging is disabled.

Audit

From the AWS console:
  1. Go to Amazon EKS Clusterscluster_name Configuration Logging.
  2. Check if the following options are set to 'Enabled':
    • API server
    • Audit
    • Authenticator
    • Controller manager
    • Scheduler
  3. Repeat for each EKS Cluster in each region.
From the CLI:
  • Open your terminal.
  • Run the following commands:
    export CLUSTER_NAME=<your cluster name> 
export REGION_CODE=<your region_code>
aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION_CODE} --query 'cluster.logging.clusterLogging'
  • Repeat for each EKS Cluster in each region.

Remediation

From the AWS console:
  1. For each EKS Cluster in each region:
    • Go to Amazon EKSClustersCLUSTER_NAMEConfigurationLogging.
    • Click Manage logging.
  2. Ensure the following options are toggled to 'Enabled':
    • API server
    • Audit
    • Authenticator
    • Controller manager
    • Scheduler
  3. Click Save Changes.
  4. Repeat for each EKS Cluster in each region.
From the CLI:
  1. Open your terminal.
  2. Run the following commands: 
    aws eks update-cluster-config \
    --region '${REGION_CODE}' \ 
    --name '${CLUSTER_NAME}' \  
    --logging
'{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
  3. Repeat for each EKS Cluster in each region.