Profile Applicability:

  • Level 2

Description:

An audit policy is essential for ensuring that key security concerns are properly logged and tracked. A comprehensive audit policy should cover critical activities, such as unauthorized access attempts, user privilege escalations, configuration changes, sensitive data access, and any other potentially malicious actions. This ensures that security incidents can be detected early and investigated thoroughly.

Rationale:

Having an audit policy that specifically covers security concerns is crucial for maintaining the integrity of a Kubernetes cluster. It helps track events related to critical resources, user activities, and system configurations that could indicate security vulnerabilities or breaches. A well-defined security-focused audit policy assists in compliance auditing, incident response, and overall security monitoring.

Impact:

  • Pros:

    • Ensures that sensitive actions, like access control modifications and privilege escalations, are logged for security and compliance purposes.

    • Improves the ability to track and respond to security incidents effectively.

    • Provides a historical record of security-related activities for auditing and investigation.

  • Cons:

    • A comprehensive audit policy can generate a significant amount of log data, requiring sufficient storage and processing capacity.

    • If not configured properly, it could either miss critical security-related events or overwhelm the system with unnecessary logs.

Default Value:

Kubernetes does not provide a default audit policy that covers all security concerns. Instead, it offers a sample policy, which can be customized to meet security needs.

Pre-requisites:

  • The Kubernetes API server should be configured to enable audit logging.

  • The audit policy should be created and configured to capture security-relevant events (e.g., access attempts, privilege escalations, resource changes).

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster.

  3. Go to the Kubernetes API server configuration.

  4. Ensure that the audit policy file includes entries for logging security-related events, such as unauthorized access, changes to RBAC roles, and modifications to sensitive resources like Secrets, ConfigMaps, etc.

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

  1. Ensure that the audit policy file is set, and verify that security concerns such as authentication failures, role-based access control (RBAC) changes, and changes to sensitive resources are covered.

Implementation Plan

Using AWS Console:

  1. Navigate to the EKS cluster in the AWS Console.

  2. Under the Cluster Configuration section, modify the API server settings.

  3. Create and set an audit policy that specifically includes key security concerns like user authentication events, access to sensitive data, and changes to critical resources.

  4. Save the configuration and apply the changes.

Using AWS CLI:

To configure an audit policy that covers security concerns, update the --audit-policy-file argument in the API server configuration to reference a policy file that includes key security events:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --audit-policy-file <path-to-security-policy-file>

Backout Plan

Using AWS Console:

  1. Navigate to the EKS cluster's API server configuration.

  2. If necessary, revert the audit policy to a previous, less restrictive configuration or the default policy.

  3. Save the configuration and redeploy the cluster.

Using AWS CLI:

If issues occur, revert the change by reconfiguring the audit policy:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --audit-policy-file <previous-policy-file>

References: