Observability in Amazon EKS - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Observability in Amazon EKS

You can observe your data in Amazon EKS using many available monitoring or logging tools. Your Amazon EKS log data can be streamed to Amazon Web Services or to partner tools for data analysis. There are many services available in the Amazon Web Services Management Console that provide data for troubleshooting your Amazon EKS issues.

After selecting Clusters in the left navigation pane of the Amazon EKS console, you can view cluster health and details by selecting your cluster's name. To view details about any existing Kubernetes resources that are deployed to your cluster, see View Kubernetes resources.

Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon EKS and your Amazon solutions. We recommend that you collect monitoring data from all of the parts of your Amazon solution. That way, you can more easily debug a multi-point failure if one occurs. Before you start monitoring Amazon EKS, make sure that your monitoring plan addresses the following questions.

  • What are your goals? Do you need real-time notifications if your clusters scale dramatically?

  • What resources need to be observed?

  • How frequently do you need to observe these resources? Does your company want to respond quickly to risks?

  • What tools do you intend to use? If you already run Amazon Fargate as part of your launch, then you can use the built-in log router.

  • Who you do intend to perform the monitoring tasks?

  • Whom do you want notifications to be sent to when something goes wrong?

Logging and monitoring on Amazon EKS

Amazon EKS provides built-in tools for logging and monitoring. Control plane logging records all API calls to your clusters, audit information capturing what users performed what actions to your clusters, and role-based information. For more information, see Logging and monitoring on Amazon EKS in the Amazon Prescriptive Guidance.

Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters. You can select the exact log types you need, and logs are sent as log streams to a group for each Amazon EKS cluster in CloudWatch. For more information, see Amazon EKS control plane logging.


When you check the Amazon EKS authenticator logs in Amazon CloudWatch, the entries are displayed that contain text similar to the following example text.

level=info msg="mapping IAM role" groups="[]" role="arn:aws-cn:iam::111122223333:role/XXXXXXXXXXXXXXXXXX-NodeManagerRole-XXXXXXXX" username="eks:node-manager"

Entries that contain this text are expected. The username is an Amazon EKS internal service role that performs specific operations for managed node groups and Fargate.

For low-level, customizable logging, then Kubernetes logging is available.

Amazon EKS is integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon service in Amazon EKS. CloudTrail captures all API calls for Amazon EKS as events. The calls captured include calls from the Amazon EKS console and code calls to the Amazon EKS API operations. For more information, see Logging Amazon EKS API calls with Amazon CloudTrail.

The Kubernetes API server exposes a number of metrics that are useful for monitoring and analysis. For more information, see Control plane metrics with Prometheus.

To configure Fluent Bit for custom Amazon CloudWatch logs, see Setting up Fluent Bit in the Amazon CloudWatch User Guide.

Amazon EKS logging and monitoring tools

Amazon Web Services provides various tools that you can use to monitor Amazon EKS. You can configure some tools to set up automatic monitoring, but some require manual calls. We recommend that you automate monitoring tasks as much as your environment and existing toolset allows.

Logging Tools
Areas Tool Logs Setup


Amazon CloudWatch Container Insights

It collects, aggregates, and summarizes metrics and logs from your containerized applications and microservices.

Setup procedure

Control plane

Amazon CloudTrail

It logs API calls by a user, role, or service.

Setup procedure

Multiple areas for Amazon Fargate instances

Amazon Fargate log router

For Amazon Fargate instances, it streams logs to Amazon services or partner tools. Uses Amazon for Fluent Bit. Logs can be streamed to other Amazon Web Services or partner tools.

Setup procedure

Monitoring Tools
Areas Tool Logs Setup


CloudWatch Container Insights

CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs from your containerized applications and microservices.

Setup procedure


Amazon Distro for OpenTelemetry (ADOT)

It collects and sends correlated metrics, trace data, and metadata to Amazon monitoring services or partners. It can be set up through CloudWatch Container Insights.

Setup procedure


Amazon DevOps Guru

It detects node-level operational performance and availability.

Setup procedure


Amazon X-Ray

It receives trace data about your application. This trace data includes ingoing and outgoing requests and metadata about the requests. For Amazon EKS, the implementation requires the OpenTelemetry add-on.

Setup procedure

Control plane


CloudWatch Logs ingestion, archive storage, and data scanning rates apply to enabled control plane logs.

Setup procedure