🛡️ AWS EKS Cluster Logging is not enabled for all control plane logs types🟢

Contextual name: 🛡️ Cluster Logging is not enabled for all control plane logs types🟢
ID: /ce/ca/aws/eks/cluster-logging
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS EKS Cluster
- 🔌 AWS EKS Cluster - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Internal: dec-x-8ccccedc

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-8ccccedc	1

Description

Open File

Description

EKS control plane logging enables the delivery of audit and diagnostic logs directly from the EKS control plane to Amazon CloudWatch Logs within your account. The following log types are available:

API Server - Includes logs that capture API server flags used during the server's startup.

Audit - Kubernetes audit logs capturing actions performed by users, administrators, or system components that affect your cluster.

Authenticator - Specific to Amazon EKS, these logs capture the control plane's authentication activity using IAM credentials for Kubernetes RBAC.

Controller Manager - Logs from the component responsible for running core control loops that regulate cluster state.

Scheduler - Captures events from the scheduler, which determines placement and scheduling of Pods within the cluster.

Rationale

Enabling EKS control plane logging is essential for security auditing, regulatory compliance, and operational diagnostics. These logs offer visibility into key events and system behavior, allowing you to detect unauthorized access, trace configuration changes, identify performance issues, and respond to incidents. Without them, understanding who made changes, when they occurred, and their impact becomes significantly more challenging, resulting in critical blind spots.

... see more

Remediation

Open File

Remediation

From Command Line

To enable control plane logging for your Amazon EKS cluster, update the logging configuration with the following command:
aws eks update-cluster-config \
    --region {{region-name}} \
    --name {{cluster-name}} \
    --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22	no data
💼 APRA CPG 234 → 💼 67d logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential unauthorised access;		2	2	no data
💼 APRA CPG 234 → 💼 h. audit logging and monitoring of access to information assets by all users;		8	9	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.8] EKS clusters should have audit logging enabled			1	no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			75	no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP High Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)		1	3	no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	31	no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37	no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16	no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			16	no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			15	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		73	no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27	no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		41	no data
💼 FedRAMP High Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	14	50	62	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	56	no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			23	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27	no data
💼 FedRAMP Low Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)			10	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)			3	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			31	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		24	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	7		13	no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50	no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100	no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60	no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			17	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	24	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		26	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-9(7) Protection of Audit Information _ Store on Component with Different Operating System			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		15	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	73	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	41	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4 System Monitoring	25	1	17	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			11	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			16	no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	33	no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		32	no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	32	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Remediation​

Remediation​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Remediation

Remediation

From Command Line

policy.yaml

Linked Framework Sections