Ensure AWS EKS control plane logging is enabled

Error: AWS EKS control plane logging is disabled

Bridgecrew Policy ID: BC_AWS_KUBERNETES_4
Checkov Check ID: CKV_AWS_37
Severity: LOW

AWS EKS control plane logging is disabled

Description

Amazon EKS control plane logging provides valuable diagnostic logs for all control plane related actions. Logging streams include cover for the following modules:

  1. Kubernetes API server component logs (api)‚ see kube-apiserver in the Kubernetes documentation.
  2. Audit (audit). Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see Auditing in the Kubernetes documentation.
  3. Authenticator (authenticator). For more information, see authorization in the Kubernetes documentation.
  4. Controller manager (controllerManager). For more information, see kube-controller-manager in the Kubernetes documentation.
  5. Scheduler (scheduler). For more information, see kube-scheduler in the Kubernetes documentation.

Amazon EKS control plane logging is used to detect anomalous configuration activity by your customer. It is used to track configuration changes conducted manually and programmatically, and trace back unapproved changes.

Fix - Runtime

AWS Console

To enable Amazon EKS logging, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EKS console.
  3. To display your cluster information, select the cluster's name.
  4. Navigate to Logging and click Update.
  5. For each individual log stream, select if the log type should be Enabled.
  6. Click Update.

Fix - Buildtime

Terraform

The code below enables control plane logging.

Resource: aws_eks_cluster
Attributes: enabled_cluster_log_types

resource "aws_eks_cluster" "pike" {   
  name_prefix= var.name
  role_arn = aws_iam_role.pike
  vpc_config {
    endpoint_public_access = false
    subnet_ids = var.subnet_ids
  }

  tags = {
    pike="permissions"
  }
  encryption_config {
    resources = ["secrets"]
  }
+  enabled_cluster_log_types = ["api", "audit", "authenticator","controllerManager","scheduler"]
}