Skip to main content

Create an EKS Audit Log Integration Manually

Overview

To complete the integration, you must:

  1. Create an integration in the Lacework Console.
  2. Instrument each EKS cluster for the EKS integration created in Step 1.
    • Enable EKS logs on the clusters you want to integrate
    • Integrate EKS clusters

Prerequisites

You must enable audit logging on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Create an Integration in the Lacework Console

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts.
  3. Click + Add New.
  4. Click Amazon Web Services and select Manual configuration.
  5. Click Next.
  6. Select EKS Audit Log.
  7. For Name, enter a unique name that displays in the Lacework Console.
  8. For Account ID, enter the ID of the AWS account to integrate.
  9. For External ID, copy the Lacework-generated external ID. You must use this external ID to replace the temporary one that you provided during cross-account role creation.
    Refer to Update Cross-Account IAM Role External ID for how to update the cross-account role's external ID.
  10. For Role ARN, enter the ARN of the cross-account role that Lacework uses to access your AWS resources.
  11. For SNS ARN, enter the ARN of the topic that Lacework uses to communicate with your AWS resources.
  12. Click Save to finish the AWS integration and save your onboarding progress.

Instrument EKS Clusters

Instrument each EKS cluster for the EKS integration you just created.

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

To instrument EKS clusters, you can either Run the CloudFormation template or Download the CloudFormation template. If you have multiple accounts with distributed ownership, you may want to use the Download option.

Follow the steps for your chosen option.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page.
  4. Review the Create stack page and click Next. The template populates theAmazon S3 URL for you.
  5. On the Specify stack details page, provide the EKSClusterName. The template populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
  6. On the Configure stack options page, click Next.
  7. Verify the information on the Review page and click Create stack.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

  • Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
  • Logs are created every 5 minutes.