Skip to main content

πŸ“ AWS EKS Cluster Logging is not enabled for all control plane logs types 🟒

  • Contextual name: πŸ“ Cluster Logging is not enabled for all control plane logs types 🟒
  • ID: /ce/ca/aws/eks/cluster-logging
  • Located in: πŸ“ AWS EKS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

  • Internal
    • dec-x-8ccccedc

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-8ccccedc1

Logic​

Description​

Open File

Description​

EKS control plane logging enables the delivery of audit and diagnostic logs directly from the EKS control plane to Amazon CloudWatch Logs within your account. The following log types are available:

  • API Server - Includes logs that capture API server flags used during the server’s startup.
  • Audit - Kubernetes audit logs capturing actions performed by users, administrators, or system components that affect your cluster.
  • Authenticator - Specific to Amazon EKS, these logs capture the control plane’s authentication activity using IAM credentials for Kubernetes RBAC.
  • Controller Manager - Logs from the component responsible for running core control loops that regulate cluster state.
  • Scheduler - Captures events from the scheduler, which determines placement and scheduling of Pods within the cluster.

Rational​

Enabling EKS control plane logging is essential for security auditing, regulatory compliance, and operational diagnostics. These logs offer visibility into key events and system behavior, allowing you to detect unauthorized access, trace configuration changes, identify performance issues, and respond to incidents. Without them, understanding who made changes, when they occurred, and their impact becomes significantly more challenging, resulting in critical blind spots.

... see more

Remediation​

Open File

Remediation​

From Command Line​

To enable control plane logging for your Amazon EKS cluster, update the logging configuration with the following command:

aws eks update-cluster-config \
    --region {{region-code}} \
    --name {{cluster-name}} \
    --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67d logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential unauthorised access;22
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. audit logging and monitoring of access to information assets by all users;89
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration50
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)114
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)724
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)248
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)422
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4749
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)48
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)14
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)48
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)218
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events85
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events60
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events91
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked25
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1214
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1617
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44648
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81622