EKS Audit Log Manual Integration
Overview
Configuring Kubernetes runtime security monitoring on Lacework involves the following steps:
- Step 1: Set up AWS resources.
- Step 2: Create an EKS integration in the Lacework Console to allow Lacework to track audit logs from all EKS clusters that belong to your AWS account.
- Step 3: Instrument each EKS cluster for the EKS integration created by using a subscription filter to set up your resources to send logs from EKS log groups to Lacework.
Prerequisites
Ensure that you are deploying the integration to a supported AWS region.
Enable audit logging on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:
aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'Replace:
<region>with your AWS region.<EKS_cluster_name>with the name of the EKS cluster.
Step 1: Set Up AWS Resources
Setting up AWS resources includes the following actions:
- Create an SNS topic.
- Create an SNS policy to allow sending notifications to the Lacework SQS queue and to allow the Lacework AWS account to subscribe.
- Create a subscription to the SNS topic. Create one SNS subscription for each EKS audit log integration (for example, for each AWS account).
- Create an S3 bucket.
- Create a Kinesis Data Firehose.
- Firehose delivery role with permissions to post to the S3 bucket.
- Set the S3 destination.
- Create a cross-account IAM role with permissions that Lacework assumes to make API calls.
Log in to AWS and use CloudShell to run the commands in the following sections.
Create an SNS Topic
- Run the following command:Replace
aws sns create-topic --name <topic_name><topic_name>with the desired name for the topic. - Record the ARN of the topic to use in the next section.
Set the SNS Topic Policy
Run the following command:
aws sns set-topic-attributes --topic-arn <Lacework_EKS_SNS_topic_ARN> --attribute-name Policy --attribute-value '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLaceworkToSubscribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::434813966438:role/lacework-platform"
},
"Action": "sns:Subscribe",
"Resource": "<Lacework_EKS_SNS_topic_ARN>"
},
{
"Sid": "AllowS3ToPublish",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "<Lacework_EKS_SNS_topic_ARN>",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<AWS_account_ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:<resource_name_prefix>-lacework-eks"
}
}
}
]
}'
Replace:
<Lacework_EKS_SNS_topic_ARN>with the ARN of the SNS topic.<AWS_account_ID>with the AWS account being integrated.<resource_name_prefix>with the resource name prefix.
Create an S3 Bucket
Run the following command:
aws s3api create-bucket --bucket <resource_name_prefix>-lacework-eks --region <region>Replace:
<resource_name_prefix>with the resource name prefix.<region>with your AWS region.
Record the ARN of the bucket to use in the next section.
Set S3 Bucket Notification
Run the following command:
aws s3api put-bucket-notification-configuration --bucket <bucket_ARN> --notification-configuration '{
"TopicConfigurations":[
{
"TopicArn":"<Lacework_EKS_SNS_topic_ARN>",
"Events":[
"s3:ObjectCreated:*"
],
"Filter":{
"Key":{
"FilterRules":[
{
"Name":"prefix",
"Value":"eks_audit_logs/<AWS_account_ID>"
}
]
}
}
}
]
}'
Replace:
<bucket_ARN>with the ARN of the S3 bucket.<Lacework_EKS_SNS_topic_ARN>with the ARN of the SNS topic.<AWS_account_ID>with the AWS account being integrated.
Create an IAM Role for Kinesis Firehose
Run the following command:
aws iam create-role --role-name <role_name> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
Replace <role_name> with the desired name for the IAM role.
Attach an IAM Policy to the IAM Role for Kinesis Firehose
Run the following command:
aws iam put-role-policy --role-name <role_name> --policy-name <policy_name> --policy-document '{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"s3:PutObject",
"Resource":"<bucket_ARN>/eks_audit_logs/<AWS_account_ID>/*"
}
]
}'
Replace:
<role_name>with the name of the IAM role for Firehose.<policy_name>with the desired name for the IAM policy.<bucket_ARN>with the ARN of the S3 bucket.<AWS_account_ID>with the AWS account being integrated.
Create a Kinesis Firehose Delivery Stream
Run the following command:
aws firehose create-delivery-stream --delivery-stream-name <delivery_stream_name> --delivery-stream-type DirectPut --s3-destination-configuration '{
"RoleARN": "<role_ARN>",
"BucketARN": "<bucket_ARN>",
"Prefix": "eks_audit_logs/<AWS_account_ID>/",
"ErrorOutputPrefix": "audit_logs/<AWS_account_ID>/error/",
"BufferingHints": {
"IntervalInSeconds": 300,
"SizeInMBs": 100
},
"CloudWatchLoggingOptions": {
"Enabled": false
},
"CompressionFormat": "UNCOMPRESSED",
"EncryptionConfiguration": {
"NoEncryptionConfig": "NoEncryption"
}
}'
Replace:
<delivery_stream_name>with the desired name for the Kinesis Firehose delivery stream.<role_ARN>with the ARN of the IAM role for Firehose.<bucket_ARN>with the ARN of the S3 bucket.<AWS_account_ID>with the AWS account being integrated.
Record the ARN of the Firehose delivery stream to use later when configuring CloudWatch Logs.
Create an IAM Role for Cross-Account Access
Run the following command:
aws iam create-role --role-name <role_name> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::434813966438:role/lacework-platform"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"lweid:aws:v2:<tenant_name>:<AWS_account_ID>:<unique_id>"
]
}
}
}
]
}'
- Replace
<role_name>with the desired name for the IAM role. 434813966438:role/lacework-platformis the Lacework account ID and Lacework role name.- For
sts:ExternalId, provide an external ID, which must consist of your Lacework tenant name (from your Lacework URL<tenant_name>.lacework.net), AWS account being integrated, and a random 10 character string. See the complete external ID format details to verify it is Lacework-compliant. Copy the external ID so you can use it later in the onboarding process when you configure the integration from the Lacework Console.
Attach an IAM Policy to the IAM Role for Cross-Account Access
Run the following command:
aws iam put-role-policy --role-name <role_name> --policy-name <policy_name> --policy-document '{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"S3Permissions",
"Effect":"Allow",
"Action":"s3:GetObject",
"Resource":[
{
"Fn::If":[
"CreateNewBucket",
"arn:aws:s3:::<resource_name_prefix>-lacework-eks",
"arn:aws:s3:::<resource_name_prefix>-lacework-eks/*"
]
}
]
},
{
"Sid":"SNSPermissions",
"Effect":"Allow",
"Action":[
"sns:GetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource":"<Lacework_EKS_SNS_topic_ARN>"
},
{
"Sid":"AccountAliasPermissions",
"Effect":"Allow",
"Action":"iam:ListAccountAliases",
"Resource":"*"
},
{
"Fn::If":[
"AllowDebuggingPermissionsCondition",
{
"Sid":"DebugPermissions",
"Effect":"Allow",
"Action":[
"eks:ListClusters",
"logs:DescribeLogGroups",
"logs:DescribeSubscriptionFilters",
"firehose:ListDeliveryStreams",
"firehose:DescribeDeliveryStream"
],
"Resource":"*"
},
{"Ref":"AWS::NoValue"}
]
},
{
"Fn::If":[
"AllowDebuggingPermissionsCondition",
{
"Sid":"S3DebugPermissions",
"Effect":"Allow",
"Action":[
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketNotificationConfiguration"
],
"Resource":"<bucket_ARN>"
},
{"Ref":"AWS::NoValue"}
]
}
]
}'
Replace:
<role_name>with the name of the IAM role for cross-account access.<policy_name>with the desired name for the IAM policy.<resource_name_prefix>with the resource name prefix.<Lacework_EKS_SNS_topic_ARN>with the ARN of the SNS topic.<bucket_ARN>with the ARN of the S3 bucket.
Step 2: Create an Integration in the Lacework Console
Creating an integration allows Lacework to track audit logs from all EKS clusters that belong to your AWS account. If you have multiple AWS accounts, you must add multiple EKS audit log integrations in Lacework, one for each AWS account you have.
If you have EKS clusters in multiple AWS regions, Lacework recommends creating multiple EKS audit log integrations, one for each AWS account per region. Multiple EKS clusters can belong to a single Lacework EKS audit log integration.
To create the integration, follow these steps:
- Log in to the Lacework Console.
- Go to Settings > Integrations > Cloud accounts.
- Click + Add New.
- Click Amazon Web Services and select Manual configuration.
- Click Next.
- Select EKS Audit Log.
- Enter a unique name that displays in the Lacework Console.
- Enter the account ID of the AWS account to integrate.
- Paste the external ID that you created when setting up the AWS resources. If the external ID does not comply with the format requirements, click the Refresh icon to generate a new one. Then follow the steps to update the external ID in the AWS console before returning here to finish the integration.
- Enter the ARN of the cross-account role that you created when setting up the AWS resources.
- Complete the remaining fields and click Save.
The new integration now appears in the Cloud accounts page.
Step 3: Instrument EKS Clusters
Instrumenting EKS clusters creates and sets up the EKS clusters as well as any other AWS resources required to ingest the logs from the EKS log groups to Lacework. You must also enable audit logging for the EKS cluster in the AWS account.
Log in to AWS and use CloudShell to run the commands in the following sections.
Enable EKS Logs
Ensure audit logging is enabled on the clusters that you want to integrate.
For more information, go to Amazon EKS control plane logging.
Integrate EKS Clusters
Completing the steps in this section instruments each EKS cluster in the EKS integration you just created.
Create an IAM Role for CloudWatch Logs
Run the following command:
aws iam create-role --role-name <role_name> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.<region>.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
Replace:
<role_name>with the desired name for the IAM role.<region>with your AWS region.
Attach an IAM Policy to the IAM Role for CloudWatch Logs
Run the following command:
aws iam put-role-policy --role-name <role_name> --policy-name <policy_name> --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["firehose:putRecord", "firehose:putRecordBatch"],
"Resource": "<firehose_ARN>"
}
]
}'
Replace:
<role_name>with the name of the IAM role for CloudWatch.<policy_name>with the desired name for the IAM policy.<firehose_ARN>with the ARN of the Kinesis Firehose delivery stream created for the EKS integration.
Create a Subscription Filter for CloudWatch Logs
Run the following command:
aws logs put-subscription-filter --log-group-name "/aws/eks/<EKS_cluster_name>/cluster" --filter-name "<filter_name>" --filter-pattern "{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }" --destination-arn "<firehose_ARN>" --role-arn "<role_arn>"
Replace:
<EKS_cluster_name>with the name of the EKS cluster.<filter_name>with the desired name for the filter.<firehose_ARN>with the ARN of the Kinesis Firehose delivery stream created for the EKS integration.<role_arn>with the ARN of the IAM role for CloudWatch.
Verify the Integration is Set Up
To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.
To verify SNS notifications for the creation of S3 objects:
- Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
- Logs are created every 5 minutes.