Skip to main content

Disable or Delete EKS Audit Log Integrations

Disable EKS Audit Log Integrations

If you disable an EKS audit log integration, Lacework stops processing messages for the associated AWS account. EKS clusters that belong to that account will not be analyzed.

Disablement unsubscribes the SNS topic but does not stop Firehose from writing to the S3 bucket.

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts.
  3. Locate the integration you want to disable and under the Status column toggle Enabled.

If you re-enable an integration, Lacework starts processing new SQS messages again. “Catchup” processing does not occur and is not supported.

Delete Integrations

Deleting an integration deletes all the resources in your AWS account that were created during the integration's setup.

To delete an integration, you can use the AWS Console or CLI to delete the CloudFormation stack. This deletes all of the associated resources except the S3 bucket. Note that the S3 bucket is not deleted so you can choose whether or not to retain the logs.

Use the AWS Console

  1. Log in to the AWS Console.
  2. Open the AWS CloudFormation console.
  3. Go to Stacks and select the stack that you want to delete. The stack must be currently running.
  4. In the stack details pane, click Delete.
  5. Click Delete stack.

Use the AWS CLI

Run the following command:

aws cloudformation delete-stack --stack-name <stack-name>

Disable/Delete Individual EKS Clusters

At any time you can stop a cluster from sending logs to Lacework using one of the following methods:

  • Disable audit logging on the EKS cluster.
  • Delete resources created during EKS cluster instrumentation.

Disable Audit Logging on the EKS Cluster

To stop sending logs from an EKS cluster, disable audit logging on that EKS cluster.

Use the AWS Console

  1. Log in to the AWS Console.
  2. Go to the EKS Clusters page.
  3. Click a cluster to display its cluster information.
  4. Click the Configuration tab.
  5. Click the Logging tab.
  6. Click Manage logging.
  7. Disable the Audit logs.
  8. Save changes.

Use the AWS CLI

Run the following command:

aws eks update-cluster-config \
--region <region-code> \
--name <prod> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":false}]}'

Delete Resources Created During EKS Cluster Instrumentation

To stop sending logs from an EKS cluster, delete the resources that were created when you instrumented that EKS cluster.

Use the AWS Console

  1. Log in to the AWS Console.
  2. Open the AWS CloudFormation console.
  3. Go to Stacks and select the stack that you want to delete. The stack must be currently running.
  4. In the stack details pane, click Delete.
  5. Click Delete stack.

Use the AWS CLI

Run the following command:

aws cloudformation delete-stack --stack-name <stack-name>