Skip to main content

Kubernetes Audit Logs for EKS

beta feature

This topic describes functionality that is currently in beta.

Kubernetes audit logs for EKS, also known as Amazon EKS control plane logs, are retrieved through AWS Cloudwatch—no agent is needed. To create the Polygraph for user and workload activities, Lacework ingests audit logs from user-selected EKS clusters to find anomalous events as described in the Default Policy page. You can create additional custom policies using the Lacework Query Language (LQL) to target any specific action or resource. Go to the Custom Policies Overview for more information.

Lacework provides an easy way to ingest logs from any EKS cluster using Cloudformation or Terraform. Go to the EKS Audit Log Integration Overview to get started.

Audit Logs Processed by Lacework

The EKS audit log policy is managed by Amazon and cannot be changed by the user. Lacework ingest logs with the ResponseCompleted status. The logs do not contain sensitive information such as secrets or keys. Some events are excluded from the EKS audit policy and therefore are not sent to Lacework: Delete events.

User Mapping

If EKS audit logs contain the AWS identity of the actual user, Lacework is able to report the username of the person that triggered an activity inside EKS. The Polygraph and the API calls table will show the username.

Lacework reports Kubernetes impersonation (assumed role).

EKS Audit Log Integration

For information about integrating EKS with Lacework, see EKS Audit Log Integrations.