EKS Audit Log Integration Using the AWS CLI

Overview

To complete the integration, you must complete the following steps::

1. Create an integration in the Lacework Console.
2. Instrument each EKS cluster for the EKS integration created in Step 1.
   • Enable EKS logs on the clusters you want to integrate
   • Integrate EKS clusters

Prerequisites

You must enable audit logging on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Create an Integration in the Lacework Console

Completing the steps in this section runs the first of two CloudFormation templates. You will run the second when you instrument EKS clusters.

1. Log in to the Lacework Console.
2. Go to Settings > Integrations > Cloud accounts.
3. Click + Add New.
4. Click Amazon Web Services and select CloudFormation.
5. Click Next.
6. Select EKS Audit Log.
7. Follow the steps in the next section.
8. Click Download CloudFormation Template.
9. Before you run the template, open it and replace the following values with the indicated information:
   • %awsAcnt - 12 digit AWS Account ID that will be integrated.
   • %acnt - Resource name prefix.
10. Run the template using the following command and input parameters:

    aws cloudformation create-stack \
    --stack-name <stack-name> \
    --template-body file://<downloaded-template-location> \
    --capabilities CAPABILITY_NAMED_IAM
11. Collect the FirehoseARN from the output to use in the following section.

Instrument EKS Clusters

Instrument each EKS cluster for the EKS integration you just created.

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate. CloudFormation does not currently support this action.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

Completing the steps in this section instruments each EKS cluster in the EKS integration you just created by running the second of two CloudFormation templates. You ran the first when you created the integration.

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
2. Click the EKS Audit Log integration.
3. Click Download CloudFormation Template.
4. Before you run the template, open it and replace the %acnt value with the resource name prefix you want to use.
5. Run the template using the following command and input parameters:

   aws cloudformation create-stack\
   --stack-name <stack-name> \
   --template-body file://<downloaded-template-location> \
   --capabilities CAPABILITY_NAMED_IAM \
   --parameters ParameterKey=EKSClusterName,ParameterValue=<eks-cluster-name>  ParameterKey=FirehoseARN,ParameterValue=<firehose-arn>
   Use the following values:
   • EKSClusterName - Name of the EKS cluster.
   • FirehoseARN - Output of running the template when creating the integration.
     If you are instrumenting other clusters at a later date, you can find this ARN either by going to CloudFormation in the AWS Console and viewing Parameters for your EKS Audit stack or programmatically you can call the AWS API endpoint DescribeStacks and use OutputValue for the OutputKey LaceworkEKSFirehoseArn.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

• Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
• Logs are created every 5 minutes.