Control: 8 EKS clusters should have audit logging enabled
Description
This control checks whether an Amazon EKS cluster has audit logging enabled. The control fails if audit logging isn't enabled for the cluster.
EKS control plane logging provides audit and diagnostic logs directly from the EKS control plane to Amazon CloudWatch Logs in your account. You can select the log types you need, and logs are sent as log streams to a group for each EKS cluster in CloudWatch. Logging provides visibility into the access and performance of EKS clusters. By sending EKS control plane logs for your EKS clusters to CloudWatch Logs, you can record operations for audit and diagnostic purposes in a central location.
Remediation
To enable audit logs for your EKS cluster, see Enabling and disabling control plane logs in the Amazon EKS User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_eks_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_eks_8 --shareSQL
This control uses a named query:
with control_panel_audit_logging as ( select distinct arn, log -> 'Types' as log_type from aws_eks_cluster, jsonb_array_elements(logging -> 'ClusterLogging') as log where log ->> 'Enabled' = 'true' and (log -> 'Types') @> '["api", "audit", "authenticator", "controllerManager", "scheduler"]')select c.arn as resource, case when l.arn is not null then 'ok' else 'alarm' end as status, case when l.arn is not null then c.title || ' control plane audit logging enabled for all log types.' else case when logging -> 'ClusterLogging' @> '[{"Enabled": true}]' then c.title || ' control plane audit logging not enabled for all log types.' else c.title || ' control plane audit logging not enabled.' end end as reason , c.region, c.account_idfrom aws_eks_cluster as c left join control_panel_audit_logging as l on l.arn = c.arn;