Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 2.4 Ensure Log Service is enabled for Container Service for Kubernetes

Description

Log Service shall be connected with Kubernetes clusters of Alibaba Cloud Container Service to collect the audit log for central monitoring and analysis. You can simply enable Log Service when creating a cluster for log collection.

Remediation

Perform the following to ensure the Log Service for Kubernetes clusters is enabled:

  1. Logon to ACK Console.
  2. Click Clusters in the left-side navigation pane and click Create Kubernetes Cluster in the upper-right corner.
  3. Scroll to the bottom of the page and select the Using Log Service check box. The log plug-in will be installed in the newly created Kubernetes cluster.
  4. When you select the Using Log Service check box, project options are displayed. A project is the unit in Log Service to manage logs.
  5. After you complete the configuration, click Create in the upper-right corner.
  6. In the displayed dialog box, click OK.

Default Value:

Logging is disabled.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_4 --share

SQL

This control uses a named query:

with log_service_enabled as (
  select
    cluster_id
  from
    alicloud_cs_kubernetes_cluster
  where
    meta_data -> 'AuditProjectName' is not null
    or meta_data -> 'ControlPlaneLogConfig' -> 'log_project' is not null
    or exists (
      select 1
      from jsonb_array_elements(meta_data -> 'Addons') as a
      where a ->> 'name' = 'loongcollector'
        and (a -> 'config' ->> 'sls_project_name' is not null
             or a ->> 'config' ilike '%sls_project_name%')
    )
)
select
  c.arn as resource,
  case
    when c.state != 'running' then 'skip'
    when ls.cluster_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when c.state != 'running' then c.title || ' is in ' || c.state || ' state.'
    when ls.cluster_id is not null then c.title || ' has log service enabled.'
    else c.title || ' does not have log service enabled.'
  end as reason
  
  , c.account_id as account_id, c.region as region
from
  alicloud_cs_kubernetes_cluster c
  left join log_service_enabled ls on c.cluster_id = ls.cluster_id;

Tags

category = Compliance
cis = true
cis_item_id = 2.4
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/SLS