Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 7.1 Ensure Log Service is set to 'Enabled' on Kubernetes Engine Clusters

Description

Log Service is a complete real-time data logging service on Alibaba Cloud to support collection, shipping, search, storage and analysis for logs. It includes a user interface to call the Log Viewer and an API to management logs pragmatically. Log Service could automatically collect, process, and store your container and audit logs in a dedicated, persistent datastore. Container logs are collected from your containers. Audit logs are collected from the kube-apiserver or the deployed ingress. Events are logs about activity in the cluster, such as the deleting of Pods or Secrets.

Remediation

Using the management console:

  1. Logon to ACK console.
  2. Click Create Kubernetes Cluster and set Enable Log Service to Enabled when creating cluster.

Default Value:

By default, logging service is disabled when you create a new cluster using console.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_7_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_7_1 --share

SQL

This control uses a named query:

select
  'arn:acs:::' || account_id as resource,
  'info' as status,
  'Manual verification required.' as reason
  , account_id as account_id
from
  alicloud_account;

Tags

category = Compliance
cis = true
cis_item_id = 7.1
cis_level = 1
cis_section_id = 7
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/ACK