Effective monitoring of Kubernetes audit logs offers several benefits. First and foremost, it helps in identifying unauthorized access attempts, unusual or suspicious activities, and potential security breaches. This enables administrators to take immediate action to mitigate risks and prevent further damage.
However, having logs just for the sake of it is a waste of money and effort if no one is checking them. This is where Amazon GuardDuty can easily help with its new feature that offers automated monitoring for these the audit logs.
Example findings
Couple of examples that it can spot for you:
-
CredentialAccess:Kubernetes/MaliciousIPCaller- An API commonly used to access credentials or secrets in a Kubernetes cluster was invoked from a known malicious IP address. -
PrivilegeEscalation:Kubernetes/PrivilegedContainer- A privileged container with root level access was launched on your Kubernetes cluster. -
Policy:Kubernetes/ExposedDashboard- The dashboard for a Kubernetes cluster was exposed to the internet - Or my personal favourite:
Policy:Kubernetes/AnonymousAccessGranted- The system:anonymous user was granted API permission on a Kubernetes cluster.
To use this new feature, there are 2 things you need to do:
- Enable audit logs on your EKS cluster (if you haven't done already)
- Setup EKS Audit log monitoring in GuardDuty
Enable audit logs on your EKS cluster using Terraform
Using aws_eks_cluster resource
If you are using the aws_eks_cluster resource, then you basically need to add a single line to it to enable Audit Logging.
resource "aws_eks_cluster" "example" {
# ... other configurations ...
enabled_cluster_log_types = ["audit"] # Additional types: api, authenticator, controllerManager, scheduler
# ... other configurations ...
}
Using AWS's EKS Terraform module
If you are using the official EKS Terraform module, then you will need to make sure that audit is added to the cluster_enabled_log_types input parameter as below. (By default, it is already configured)
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 19.0"
# ... other configurations ...
cluster_enabled_log_types = ["audit"]
# ... other configurations ...
Setup GuardDuty using Terraform for EKS Audit log
With the official aws_guardduty_detector resource this is fairly simple and it only takes a few lines.
resource "aws_guardduty_detector" "example" {
enable = true
datasources {
# ... other configurations ...
kubernetes {
audit_logs {
enable = false
}
}
# ... other configurations ...
}
}
Once you set it up, you should start receiving alerts from GuardDuty when it detects suspicious activities. For the fill list of findings, check out the official documentation.
Top comments (0)