π‘οΈ AWS GuardDuty Detector EKS Audit Log Monitoring is not enabledπ’
- Contextual name: π‘οΈ Detector EKS Audit Log Monitoring is not enabledπ’
- ID:
/ce/ca/aws/guardduty/detector-eks-audit-logs - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled
Descriptionβ
Descriptionβ
This policy identifies AWS GuardDuty Detectors that have EKS Audit Log Monitoring disabled. This feature is a part of GuardDuty EKS Protection, which provides specialized threat detection for EKS clusters.
GuardDuty analyzes Kubernetes audit logs from your EKS clusters to detect suspicious activity and potential security threats, such as privilege escalation, use of exposed credentials, or connections from known malicious IP addresses.
Rationaleβ
Kubernetes audit logs provide a chronological, security-relevant record of actions and events within a cluster. Monitoring these logs is crucial for detecting unauthorized access, suspicious API calls, and other malicious activities that could compromise your containerized applications.
Impactβ
Enabling this feature will incur costs based on the volume of EKS audit logs analyzed by GuardDuty.
Auditβ
This policy flags an AWS GuardDuty Detector as
INCOMPLIANTif itsData SourcescontainKubernetes Audit Logs Statusset to DISABLED.
Remediationβ
Remediationβ
Enable EKS Audit Log Monitoringβ
From Command Lineβ
Enable EKS Audit Log Monitoring for a specific GuardDuty detector using the following command:
aws guardduty update-detector \
--detector-id {{detector-id}} \
--region {{region}} \
--data-sources "Kubernetes={AuditLogs={Enable=true}}"
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 65 | no data |