iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Audit logs should be enabled for Kubernetes clusters to capture and record API requests and changes made to the cluster resources. This helps in tracking user activities, detecting unauthorized access, and supporting compliance with security policies.

Rationale:
 Enabling audit logs allows organizations to monitor activities within the cluster, providing visibility into operations. It is a key feature for security monitoring, troubleshooting, and forensic analysis in case of a security incident.

Impact:

• Pros:
  
  

  • Provides detailed records of operations for security monitoring.
    

  • Supports compliance with regulatory requirements.
    

  • Assists in incident response and post-incident analysis.
    

• Cons:
  
  

  • Increased resource consumption due to the logging of events.
    

  • Requires appropriate configuration and log management.
    

Default Value:
 Audit logging is not enabled by default. It must be configured to capture API server and audit events.

Pre-requisites:

• Ensure that Azure Kubernetes Service (AKS) is properly configured for logging.
  

• Ensure that Azure Monitor or a third-party log management system is set up for centralized logging.
  

Remediation:

Test Plan:

Using Azure Console:

1. Go to the Azure portal and navigate to the AKS cluster settings.
   

2. Check the "Diagnostic settings" to verify that audit logs are being collected.
   

3. Ensure that logs are being forwarded to Azure Monitor or a centralized logging system.
   

Using Azure CLI:

1. Use the Azure CLI to verify audit logging configuration:

   az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "addonProfiles.auditLogs.enabled"

   
   

2. Ensure the auditLogs.enabled property returns true.

Implementation Plan:

Using Azure Console:

1. Navigate to the AKS cluster in the Azure portal.
   

2. Under the "Monitoring" section, go to "Diagnostic settings."
   

3. Enable "Audit Logs" and configure the forwarding destination (e.g., Azure Monitor).
   

Using Azure CLI:

1. Enable audit logs using the Azure CLI:
   

    az aks enable-addons --resource-group <resource-group-name> --name <aks-cluster-name> --addons monitoring

   
   

Backout Plan:

Using Azure Console:

1. If audit logs cause performance issues or unnecessary data, navigate back to the "Diagnostic settings" section and disable the "Audit Logs."
   

Using Azure CLI:

1. Disable audit logging with the Azure CLI:

   az aks disable-addons --resource-group <resource-group-name> --name <aks-cluster-name> --addons monitoring

   
   

References:

1. Azure Kubernetes Service - Enable Monitoring and Logs
   

2. Azure Monitor and Log Analytics