iCompaas Support

Profile Applicability:
• Level 1

Description:
 Control plane logs provide visibility into the operation of the EKS control plane component systems. The API server audit logs record all accepted and rejected requests in the cluster. When enabled via EKS configuration, the control plane logs for a cluster are exported to a CloudWatch Log Group for persistence.

Rationale:
 Audit logs enable visibility into all API server requests from authenticated and anonymous sources. Stored log data can be analyzed manually or with tools to identify and understand anomalous or negative activity, enabling intelligent remediation and strengthening overall security posture.

Impact:
 Pros:

• Enhances security by providing visibility into all API requests.

• Enables anomaly detection through manual or automated log analysis.

Cons:

• May introduce a minor overhead impacting performance or usability.

• Requires configuration and maintenance of CloudWatch log groups.

Default Value:
 Control Plane Logging is disabled by default:

• API server: Disabled

• Audit: Disabled

• Authenticator: Disabled

• Controller manager: Disabled

• Scheduler: Disabled

Pre-requisites:

• AWS IAM permissions to view and update EKS configurations:
   eks:DescribeCluster, eks:UpdateClusterConfig

• Access to CloudWatch for reviewing log group content:
   logs:DescribeLogGroups, logs:GetLogEvents

Remediation

Test Plan:

Using AWS Console:

1. Log in to the AWS Management Console.

2. Navigate to Amazon EKS > Clusters > [CLUSTER_NAME] > Configuration > Logging.

3. Review the control plane logging configuration:

   • API server

   • Audit

   • Authenticator

   • Controller manager

   • Scheduler

4. Ensure all options are set to Enabled.

Using AWS CLI:

1. Set environment variables for your cluster and region.

2. Run the following command to check logging configuration:

aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION_CODE} --query 'cluster.logging.clusterLogging'

Implementation Plan

Using AWS Console:

1. Navigate to Amazon EKS > Clusters > [CLUSTER_NAME] > Configuration > Logging.

2. Click Manage logging.

3. Enable all logging options:

   • API server

   • Audit

   • Authenticator

   • Controller manager

   • Scheduler

4. Click Save Changes.

Using AWS CLI:

1. Update the cluster logging configuration.

2. Run the following command:

aws eks update-cluster-config
 --region '${REGION_CODE}'
 --name '${CLUSTER_NAME}'
--logging '{ "clusterLogging": [ { "types": ["api", "audit", "authenticator", "controllerManager", "scheduler"], "enabled": true } ] }'

Backout Plan

Using AWS Console:

1. Navigate to Amazon EKS > Clusters > [CLUSTER_NAME] > Configuration > Logging.

2. Click Manage logging.

3. Disable any required log types.

4. Click Save Changes.

Using AWS CLI:

1. Update the cluster logging configuration to disable all types.

2. Run the following command:

aws eks update-cluster-config
 --region '${REGION_CODE}'
 --name '${CLUSTER_NAME}'
--logging '{ "clusterLogging": [ { "types": ["api", "audit", "authenticator", "controllerManager", "scheduler"], "enabled": false } ] }'

References:

1. Kubernetes Audit Logs

2. AWS EKS Best Practices – Detective Controls

3. Amazon EKS Control Plane Logging

4. Logging with AWS CloudTrail