Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
1Dashboards
78Benchmarks
40Queries
2Variables
GitHub

Control: 2.4 Ensure Log Service is enabled for Container Service for Kubernetes

Description

Log Service shall be connected with Kubernetes clusters of Alibaba Cloud Container Service to collect the audit log for central monitoring and analysis. You can simply enable Log Service when creating a cluster for log collection.

Remediation

Perform the following ensure the Log Service for Kubernetes clusters is enabled:

From Console

  1. Logon to ACK Console.
  2. Click Clusters in the left-side navigation pane and click Create Kubernetes Cluster in the upper-right corner.
  3. Scroll to the bottom of the page and select the Using Log Service check box. The log plug-in will be installed in the newly created Kubernetes cluster.
  4. When you select the Using Log Service check box, project options are displayed. A project is the unit in Log Service to manage logs.
  5. After you complete the configuration, click Create in the upper-right corner.
  6. In the displayed dialog box, click OK.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_2_4 --share

SQL

This control uses a named query:

select
  'arn:acs:::' || account_id as resource,
  'info' as status,
  'Manual verification required.' as reason
  , account_id as account_id
from
  alicloud_account;

Tags

category = Compliance
cis = true
cis_item_id = 2.4
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/SLS