Profile Applicability:

  • Level 1

Description:

Amazon GuardDuty EKS Audit Log Monitoring provides threat detection for Amazon Elastic Kubernetes Service (EKS) by analyzing audit logs from EKS clusters. It identifies malicious or unauthorized behavior in your Kubernetes clusters, such as:

  • Unauthorized API calls.

  • Escalation of privileges.

  • Access to sensitive resources.

Enabling EKS Audit Log Monitoring helps improve the security of Kubernetes environments by detecting potential threats at the control plane level.

Rationale:

Kubernetes clusters are complex environments with numerous moving parts, making them susceptible to misconfigurations and unauthorized access. By enabling GuardDuty EKS Audit Log Monitoring, you can:

  • Detect anomalous behavior in EKS clusters.

  • Identify unauthorized access attempts and API calls.

  • Enhance the overall security posture of your Kubernetes workloads.

Impact:

  • Pros:

    • Improved visibility into EKS cluster activity.

    • Early detection of suspicious activity and threats.

    • Integration with existing GuardDuty threat detection.

  • Cons:

    • Additional cost associated with enabling EKS Audit Log Monitoring.

    • Slight performance overhead due to increased log analysis.

Default Value:

  • EKS Audit Log Monitoring is disabled by default in Amazon GuardDuty and must be manually enabled.

Pre-Requisite:

  • AWS IAM permissions:

    • guardduty:UpdateDetector

    • guardduty:GetDetector

    • guardduty:ListDetectors

    • guardduty:CreateDetector

  • Amazon GuardDuty must be enabled in the AWS account.

  • EKS clusters must be deployed and operational.

Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon GuardDuty.

     

  1. In the left navigation pane, select Detectors.

  2. Choose the active Detector for your AWS region.

 

  1. Go to EKS Protection settings.

             

  1. Check the status of EKS Audit Log Monitoring:

    • Pass: If the status is Enabled.

    • Fail: If the status is Disabled.

             

Using AWS CLI:

List GuardDuty Detectors:

aws guardduty list-detectors --region <region>
  1. Note the Detector ID from the output.

Check EKS Audit Log Monitoring Status:

aws guardduty get-detector --detector-id <detector-id> --region <region> --query 'DataSources.Kubernetes.AuditLogs.Status'
  • Pass: If the status is ENABLED.
  • Fail: If the status is DISABLED.

Implementation Steps

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon GuardDuty.

   

  1. Select Detectors → Choose the Detector ID for your region.

       

  1. In the left menu, select EKS Protection.

         

  1. Enable EKS Audit Log Monitoring:

    • Toggle the switch to Enable under Audit Logs.

    • Confirm enabling EKS Audit Log Monitoring.

    •    

  1. Save Changes.

Using AWS CLI:

List Detectors:

aws guardduty list-detectors --region <region>

Enable EKS Audit Log Monitoring:

aws guardduty update-detector \

  --detector-id <detector-id> \

  --enable-kubernetes-audit-logs \

  --region <region>

Verify the Status:

aws guardduty get-detector --detector-id <detector-id> --region <region> --query 'DataSources.Kubernetes.AuditLogs.Status'

The expected output:
"ENABLED"

Backout Plan:

If enabling EKS Audit Log Monitoring causes unexpected costs or operational issues, it can be disabled:

  1. Go to Amazon GuardDuty in the AWS Console.

  2. Navigate to Detectors → EKS Protection.

  3. Toggle EKS Audit Log Monitoring to Disabled.

  4. Save Changes.

References:

  1. Amazon GuardDuty Documentation

  2. GuardDuty EKS Protection

  3. AWS CLI GuardDuty Commands