iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:

An audit policy in Kubernetes defines the level of detail captured in the audit logs. A minimal audit policy ensures that only the most critical events, such as user actions or system changes, are logged, while minimizing the overhead of excessive logging. This approach allows administrators to maintain security and compliance while managing storage and performance overhead effectively.

Rationale:

Creating a minimal audit policy ensures that the Kubernetes API server captures enough data to detect unauthorized or malicious actions while avoiding excessive logging of irrelevant or low-value events. A well-defined minimal audit policy helps meet compliance requirements without unnecessarily consuming storage and computational resources.

Impact:

Pros:

• Ensures compliance by capturing essential events, such as access attempts and configuration changes.
  

• Reduces storage and performance overhead by avoiding unnecessary logging of trivial or redundant events.
  

Cons:

• May miss some detailed logs that could be useful for in-depth troubleshooting or security investigations.
  

• Requires careful balance to ensure critical actions are logged while avoiding excessive data collection.
  

Default Value:

A default audit policy is not provided out of the box, and Kubernetes provides a sample policy that can be customized.

Pre-requisites:

• An understanding of the critical actions that need to be logged for security, compliance, and operational auditing purposes.
  

• Configuration of the API server to enable audit logging with a defined policy.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Kubernetes API server configuration.
   

4. Ensure that an audit policy is defined and that it follows the minimal logging approach (e.g., capturing only important user actions, changes to configurations, etc.).
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that an audit policy is specified, and verify that it captures only critical events.
   

Implementation Plan

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server settings.
   

3. Create and set a minimal audit policy by specifying what actions need to be logged (e.g., "metadata", "requestReceived", "requestResponse").
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

To enable an audit policy, configure the API server to use a minimal audit policy file:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --audit-policy-file <path-to-policy-file>

Backout Plan

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, revert the configuration to use a more detailed audit policy or the default configuration.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --audit-policy-file <previous-policy-file>

References:

• Kubernetes Audit Logging Documentation
  EKS Cluster Management