More Info:

EKS clusters should have their control plane logs enabled and publish their API, audit, controller manager, scheduler or authenticator logs to AWS CloudWatch.

Risk Level

Low

Address

Security, Reliability

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Remediation

Using Console

To remediate the issue of EKS clusters not having logging enabled in AWS using the AWS console, please follow the below steps:

  1. Log in to the AWS Management Console.
  2. Navigate to the Amazon EKS console.
  3. Select the EKS cluster that you want to enable logging for.
  4. Click on the “Configuration” tab.
  5. Under the “Logging” section, click on the “Edit” button.
  6. Select the “Enable logging” checkbox.
  7. Choose the “Create a new S3 bucket” option or select an existing S3 bucket from the dropdown menu.
  8. Enter a unique name for the S3 bucket.
  9. Click on the “Save” button to save the changes.

Once the above steps are completed, the EKS cluster will have logging enabled, and logs will be stored in the specified S3 bucket.

Using CLI

To remediate the misconfiguration “EKS Clusters Should Have Logging Enabled” for AWS using AWS CLI, follow the below steps:

  1. Open the AWS CLI on your local machine.

  2. Check the current status of logging for your EKS cluster by running the following command:

    aws eks describe-cluster --name <cluster_name> --query "cluster.logging"

    This command will return the current logging status of your EKS cluster.

  3. If the logging is not enabled, run the following command to update the logging status:

    aws eks update-cluster-config --name <cluster_name> --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

    This command will enable logging for your EKS cluster.

  4. Verify that the logging is enabled by running the following command again:

    aws eks describe-cluster --name <cluster_name> --query "cluster.logging"

    This command should return the updated logging status of your EKS cluster.

By following these steps, you can remediate the misconfiguration “EKS Clusters Should Have Logging Enabled” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration of EKS clusters not having logging enabled, you can use the following steps in Python:

  1. First, you need to import the necessary libraries for AWS SDK for Python (Boto3) and EKS service:
import boto3
from botocore.exceptions import ClientError
  1. Next, you need to create an AWS session and EKS client:
session = boto3.session.Session(region_name='your_region')
eks_client = session.client('eks')
  1. Then, you can use the describe_cluster function to get the logging configuration of the EKS cluster:
response = eks_client.describe_cluster(name='your_cluster_name')
logging_enabled = response['cluster']['logging']['clusterLogging'][0]['enabled']
  1. If logging_enabled is False, you can use the update_cluster_config function to enable logging:
if not logging_enabled:
    logging_config = {
        'types': ['api', 'audit', 'authenticator', 'controllerManager', 'scheduler'],
        'enabled': True
    }
    update_config = {
        'logging': logging_config
    }
    eks_client.update_cluster_config(name='your_cluster_name', resourcesVpcConfig=update_config)
  1. Finally, you can print a message to confirm that logging has been enabled:
print('Logging has been enabled for the EKS cluster.')

Note: Make sure you have the necessary permissions and credentials to access the EKS cluster and enable logging.

Additional Reading: