turbot/steampipe-mod-aws-compliance

Control: 5 GuardDuty EKS Audit Log Monitoring should be enabled

Description

This control checks whether GuardDuty EKS Audit Log Monitoring is enabled. For a standalone account, the control fails if GuardDuty EKS Audit Log Monitoring is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have EKS Audit Log Monitoring enabled.

In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the EKS Audit Log Monitoring feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty EKS Audit Log Monitoring enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in GuardDuty.

GuardDuty EKS Audit Log Monitoring helps you detect potentially suspicious activities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters. EKS Audit Log Monitoring uses Kubernetes audit logs to capture chronological activities from users, applications using the Kubernetes API, and the control plane.

Remediation

To enable GuardDuty EKS Audit Log Monitoring, see EKS Audit Log Monitoring in the Amazon GuardDuty User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_guardduty_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_guardduty_5 --share

SQL

This control uses a named query:

with eks_audit_log_monitoring as (
select
arn
from
aws_guardduty_detector,
jsonb_array_elements(features) as f
where
f ->> 'Name' = 'EKS_AUDIT_LOGS'
and f ->> 'Status' = 'ENABLED'
)
select
d.arn as resource,
case
when m.arn is not null then 'ok'
else 'alarm'
end as status,
case
when m.arn is not null then title || ' has EKS audit log monitoring enabled.'
else title || ' has EKS audit log monitoring disabled.'
end as reason
, region, account_id
from
aws_guardduty_detector as d
left join eks_audit_log_monitoring as m on m.arn = d.arn

Tags