Profile Applicability:
Level 1

Description:
This control ensures that Amazon Elastic Kubernetes Service (EKS) Control Plane Audit Logging is enabled for all log types, including api, audit, authenticator, controllerManager, and scheduler. Enabling these logs allows administrators to capture detailed records of all Kubernetes API interactions, authentication events, and control plane operations, which are critical for incident detection, troubleshooting, and compliance reporting.

Rationale:
EKS Control Plane Audit Logs provide deep visibility into cluster-level activities. By logging all actions performed through the Kubernetes API server, organizations can detect misconfigurations, unauthorized changes, and potential attacks such as privilege escalation or API abuse. Comprehensive logging also supports audit and compliance requirements for frameworks such as CIS, SOC 2, ISO 27001, and NIST 800-53, ensuring accountability and traceability of administrative actions.

Impact:
Positive Impact: Enables full visibility into Kubernetes API activity and administrative actions, improving detection, response, and compliance readiness.
Negative Impact: May slightly increase CloudWatch costs due to log storage and ingestion of high-volume clusters.

Default Value:
By default, EKS Control Plane Logging is disabled for all log types unless manually configured.

Pre-Requisite:

  • IAM permissions required: eks:DescribeCluster, eks:UpdateClusterConfig, logs:CreateLogGroup, logs:PutRetentionPolicy.

  • A CloudWatch Logs group must be available to store EKS logs.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EKS → Clusters.

  3. Select a cluster and go to the Logging tab.

  4. Review the Control plane logging configuration.

  5. Verify that all available log types are enabled, including:

    • api

    • audit

    • authenticator

    • controllerManager

    • scheduler

  6. If any log type is disabled, the cluster is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EKS → Clusters and select the target cluster.

  3. Choose the Logging tab.

  4. Click Manage logging.

  5. Select all available log types:

    • api

    • audit

    • authenticator

    • controllerManager

    • scheduler

  6. Choose Enable and confirm the associated CloudWatch log group.

  7. Click Save changes to apply the configuration.

  8. Validate that logs are being delivered successfully to the specified CloudWatch log group.

Backout Plan:

  1. If log ingestion costs become excessive, selectively disable lower-priority logs such as scheduler or controllerManager while keeping audit and authenticator enabled for compliance visibility.

  2. Maintain log retention policies to minimize unnecessary storage overhead.

References: