Using Amazon Security Lake with Amazon EKS - Amazon EKS
Benefits of using Security Lake with Amazon Amazon EKSEnabling Security Lake for Amazon EKSAnalyzing EKS Logs in Security Lake
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.

Using Amazon Security Lake with Amazon EKS

Important

Amazon Security Lake is not available in China Regions.

Amazon Security Lake is a fully managed security data lake service that allows you to centralize security data from various sources, including Amazon EKS. By integrating Amazon EKS with Security Lake, you can gain deeper insights into the activities performed on your Kubernetes resources and enhance the security posture of your Amazon EKS clusters.

Note

For more information about using Security Lake with Amazon EKS and setting up data sources, refer to the Amazon Security Lake documentation.

Benefits of using Security Lake with Amazon Amazon EKS

Centralized security data — Security Lake automatically collects and centralizes security data from your Amazon EKS clusters, along with data from other Amazon services, SaaS providers, on-premises sources, and third-party sources. This provides a comprehensive view of your security posture across your entire organization.

Standardized data format — Security Lake converts the collected data into the Open Cybersecurity Schema Framework (OCSF) format, which is a standard open-source schema. This normalization enables easier analysis and integration with other security tools and services.

Improved threat detection — By analyzing the centralized security data, including Amazon EKS control plane logs, you can detect potentially suspicious activities within your Amazon EKS clusters more effectively. This helps in identifying and responding to security incidents promptly.

Simplified data management — Security Lake manages the lifecycle of your security data with customizable retention and replication settings. This simplifies data management tasks and ensures that you retain the necessary data for compliance and auditing purposes.

Enabling Security Lake for Amazon EKS

To start using Security Lake with Amazon EKS, follow these steps:

  1. Enable Amazon EKS control plane logging for your EKS clusters. Refer to Enabling and disabling control plane logs for detailed instructions.

  2. Add Amazon EKS Audit Logs as a source in Security Lake. Security Lake will then start collecting in-depth information about the activities performed on the Kubernetes resources running in your EKS clusters.

  3. Configure retention and replication settings for your security data in Security Lake based on your requirements.

  4. Use the normalized OCSF data stored in Security Lake for incident response, security analytics, and integration with other Amazon services or third-party tools. For example, you can Generate security insights from Amazon Security Lake data using Amazon OpenSearch Ingestion.

Analyzing EKS Logs in Security Lake

Security Lake normalizes EKS log events to the OCSF format, making it easier to analyze and correlate the data with other security events. You can use various tools and services, such as Amazon Athena, Amazon QuickSight, or third-party security analytics tools, to query and visualize the normalized data.

For more information about the OCSF mapping for EKS log events, refer to the mapping reference in the OCSF GitHub repository.