Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable CloudTrail Logging for Kubernetes API Calls

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that CloudTrail logging is enabled for Amazon Elastic Kubernetes Service (EKS) clusters in order to record all Kubernetes API calls. Amazon CloudTrail records and documents all activities performed on EKS clusters. Whenever operations such as "CreateCluster," "ListClusters," or "DeleteCluster" are executed, corresponding records are generated in the CloudTrail trail log files. Each event or log entry includes details about the IAM identity responsible for the request and the credentials utilized.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling CloudTrail logging for Amazon EKS clusters is vital for security monitoring, compliance adherence, incident investigation, and operational insights. It provides a detailed audit trail of API calls, enabling proactive detection of unauthorized access, ensuring regulatory compliance, facilitating incident response, and optimizing cluster performance and change management.

Audit

To determine if CloudTrail logging is enabled for Amazon EKS clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail console available at https://console.aws.amazon.com/cloudtrail/.

03 In the main navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, check the Trail logging attribute value. If the Trail logging value is set to Off, the selected CloudTrail trail is not active.

06 Repeat steps no. 4 and 5 for each Amazon CloudTrail trail available within the current AWS region. If the Trail logging value is set to Off for each verified trail, there are no active trails within the current AWS region, therefore CloudTrail logging is not enabled for your Amazon EKS clusters. If the Trail logging value is set to Logging, follow the steps outlined on this page to ensure that the trail configuration is compliant and the trail log files are delivered as expected.

07 Change the AWS cloud region from the top navigation bar and perform the Audit process for other AWS regions.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account: 

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names: 

[
	"cc-main-cloudtrail-trail",
	"cc-project5-api-trail"
]

03 Run get-trail-status command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine if your CloudTrail trail is enabled in the selected AWS region: 

aws cloudtrail get-trail-status
  --name cc-main-cloudtrail-trail
  --query 'IsLogging'

04 The command output should return the requested flag status (**true** for enabled, **false** for disabled): 

[
	false
]

05 Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available in the selected AWS region. If the get-trail-status command output returns false for each verified trail, there are no active trails within the selected AWS region, therefore CloudTrail logging is not enabled for Amazon EKS clusters. If the get-trail-status value is set to true, follow the steps outlined on this page to ensure that the trail configuration is compliant and the trail log files are delivered as expected.

06 Change the AWS cloud region using the --region command parameter and perform the Audit process for other AWS regions.

Remediation / Resolution

To enable CloudTrail logging for your Amazon EKS clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail console available at https://console.aws.amazon.com/cloudtrail/.

03 In the main navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to enable and choose Start logging.

05 If there is no CloudTrail trail created within the current AWS region, choose Create trail and follow the setup wizard to create the trail required to record the activity performed on your Amazon EKS clusters. Once all the required settings are configured, choose Create trail to deploy your new, multi-region Amazon CloudTrail trail.

Using AWS CLI

01 Run start-logging command (OSX/Linux/UNIX) to enable the selected Amazon CloudTrail trail (the command does not produce an output): 

aws cloudtrail start-logging
  --region us-east-1
  --name cc-main-cloudtrail-trail

02 If the existing trail is not configured to support all AWS cloud regions, i.e. is not a multi-region trail, follow the steps outlined on this page to enable global monitoring for the existing trail.

03 If there are no CloudTrail trails available, run create-trail command (OSX/Linux/UNIX) to create the multi-region trail required to record the activity performed on your Amazon EKS clusters: 

aws cloudtrail create-trail
  --region us-east-1
  --name cc-eks-global-trail
  --s3-bucket-name cc-trail-log-bucket
  --is-multi-region-trail

04 The command output should return the configuration information available for the new multi-region trail: 

{
	"IncludeGlobalServiceEvents": true,
	"IsOrganizationTrail": false,
	"Name": "cc-eks-global-trail",
	"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-eks-global-trail",
	"LogFileValidationEnabled": true,
	"IsMultiRegionTrail": true,
	"S3BucketName": "cc-trail-log-bucket"
}

References

Publication date Jul 12, 2023

Related EKS rules