Skip to main content

Amazon EKS Audit Log Integration

Overview

Watch Video Summary

Lacework ingests Kubernetes audit logs for EKS (also known as Amazon EKS control plane logs) through AWS Cloudwatch, without the need for an agent. After you have integrated Lacework for Kubernetes audit logs, Lacework creates Polygraphs and detects anomalous events based on the log data. For an overview of how Lacework works with Kubernetes audit logs, see Kubernetes Audit Logs.

Audit Logs Processed by Lacework

The EKS audit log policy is managed by Amazon and cannot be changed. Lacework ingests logs with the ResponseCompleted status. The logs do not contain sensitive information such as secrets or keys.

User Mapping

If EKS audit logs contain the AWS identity of the actual user, Lacework is able to report the username of the person that triggered an activity inside EKS. The Polygraph and the API calls table will show the username.

Lacework reports Kubernetes impersonation (assumed role).

Deployment Methods

Lacework provides these ways to deploy Lacework for EKS audit logs:

  • Terraform – Terraform provides the most straightforward way to integrate Lacework with Security security audit log when deploying for multiple clusters across multiple regions because you only need to configure and run Terraform once instead of running the template for each cluster.

    For details about using Terraform to create an integration, go to AWS EKS Audit Log Integration with Terraform.

    Terraform is recommended when integrating multiple clusters across multiple regions because you only need to configure and run Terraform once instead of one template per cluster. For details about using Terraform to create an integration, go to AWS EKS Audit Log Integration with Terraform.

  • CloudFormation – Using CloudFormation consists of two steps:

    • Create an integration in the Lacework Console and run the CloudFormation template file, which allows Lacework to track audit logs.
    • Instrument each EKS cluster for the EKS integration created. Run the CloudFormation subscription filter template file to set up your resources to send logs from EKS log groups to Lacework.

    For more information, see EKS Audit Log Integration Using CloudFormation.

For either integration methods, audit logging must be enabled on the clusters that you want to integrate, as detailed in the integration instructions.

Limitations

The number of EKS audit log integrations supported per Lacework account is limited to 20. To provision more than 20 EKS audit log integrations, you need to provision additional Lacework accounts.

Last updated on