Profile Applicability:
Level 1
Description:
Amazon Elastic Kubernetes Service (EKS) is a managed service that simplifies running Kubernetes on AWS without needing to install and operate your own Kubernetes control plane. Control Plane Logging is a key feature of EKS that helps capture logs for the Kubernetes control plane, which includes API server logs, audit logs, authenticator logs, and scheduler logs. These logs are crucial for debugging, monitoring, and securing your Kubernetes clusters.
Enabling control plane logging for all required log types ensures that you can capture critical data related to the operation of your EKS clusters, which helps in troubleshooting issues, detecting security incidents, and maintaining compliance with industry standards.
Rationale:
Enabling EKS Control Plane Logging is important for:
Security Monitoring: Captures logs for API calls and authentication events, enabling the detection of potential security threats or misconfigurations.
Operational Monitoring: Provides insights into the performance and health of the Kubernetes control plane, helping detect issues with cluster components.
Compliance: Meets security and compliance requirements for logging and monitoring, ensuring that logs are available for auditing and incident response.
Troubleshooting: Helps identify problems with the Kubernetes control plane or worker nodes, improving incident resolution times.
Impact:
Pros:
Improved Visibility: Provides deeper insights into the EKS control plane, making it easier to monitor and troubleshoot.
Enhanced Security: Helps identify unauthorized API access or other suspicious activities that could pose security risks.
Compliance: Assists with compliance to standards such as PCI-DSS, SOC 2, ISO 27001, and others requiring comprehensive logging.
Proactive Issue Detection: Enables early detection of potential issues by capturing relevant control plane activity.
Cons:
Increased Storage Costs: Storing log data in CloudWatch Logs or other log storage solutions may incur additional costs.
Potential Overhead: The amount of log data generated can increase over time, requiring careful management to ensure logs are kept within retention policies and do not affect performance.
Default Value:
By default, EKS Control Plane Logging is disabled. You must explicitly enable it and select the required log types during cluster creation or update.
Pre-requisite:
AWS IAM Permissions:
eks:DescribeCluster
eks:UpdateClusterConfig
eks:CreateCluster
cloudwatch:PutLogEvents
AWS CLI installed and configured.
EKS cluster must be set up and running.
Basic knowledge of Kubernetes logging and monitoring practices.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon EKS under Services.
In the EKS Dashboard, select the EKS cluster for which you want to check the control plane logging.
Click on Configuration in the left-hand navigation.
Under Logging, check the status of control plane logging and verify if all required log types are enabled:
API Server
Audit
Authenticator
Scheduler
If any log type is not enabled, modify the cluster to enable the required log types.
Using AWS CLI:
To check the current logging configuration of your EKS cluster, run:
aws eks describe-cluster --name <cluster-name> --query "cluster.logging"
This will display the current logging configuration, showing which log types are enabled or disabled.
If any log types are missing, update the logging configuration using:
aws eks update-cluster-config --name <cluster-name> --logging '{"clusterLogging":[{"types":["api", "audit", "authenticator", "scheduler"],"enabled":true}]}After updating, confirm that the required logs are enabled by running:
aws eks describe-cluster --name <cluster-name> --query "cluster.logging"
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to EKS.
In the EKS Dashboard, select the EKS cluster to configure.
Under Configuration, go to Logging and click on Edit.
Enable the following log types as needed:
API Server
Audit
Authenticator
Scheduler
Save the changes to ensure that logging is enabled for the selected log types.
Review the CloudWatch Logs to verify that the logs are being captured and stored correctly.
Using AWS CLI:
Enable control plane logging by running the following command:
aws eks update-cluster-config --name <cluster-name> --logging '{"clusterLogging":[{"types":["api", "audit", "authenticator", "scheduler"],"enabled":true}]}'Confirm the logs are being collected by checking the CloudWatch Logs for your cluster:
aws logs describe-log-streams --log-group-name /aws/eks/<cluster-name>/api
If the logs are being captured, the stream will appear in the CloudWatch Logs console, indicating that EKS control plane logging is working correctly.
Backout Plan:
Console Process
Go to the EKS Console:
Open the Amazon EKS Console.
Select your cluster from the list.
Enable Logging:
Navigate to the Logging tab.
Select the log types you want to enable:
API
Audit
Authenticator
ControllerManager
Scheduler
Click Save Changes to apply the settings.
Verify Logs in CloudWatch:
Go to CloudWatch Logs and confirm that the selected log types are being sent to the appropriate log groups.
CLI Process
Enable Logging:
Use the following command to enable all log types:
aws eks update-cluster-config \
--region <region> \
--name <cluster-name> \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'Verify Logging:
Check the cluster configuration to ensure logging is enabled:
aws eks describe-cluster --name <cluster-name> --query "cluster.logging"
Note (Optional):
Log Retention: Consider setting a log retention policy for the logs stored in CloudWatch Logs to manage storage costs effectively.
Alerting: Set up CloudWatch Alarms or SNS notifications to alert you when certain events or anomalies are logged by EKS control plane logs.
References:
CIS Controls Mapping: