Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
EKS Audit Log Monitoring
EKS Audit Log Monitoring helps you detect potentially suspicious activities in your EKS clusters within
Amazon Elastic Kubernetes Service. When you enable EKS Audit Log Monitoring, GuardDuty immediately begins to monitor Kubernetes audit logs from your Amazon EKS
clusters and analyze them for potentially malicious and suspicious activity. It consumes Kubernetes
audit log events directly from the Amazon EKS control plane logging feature through an independent and
duplicative stream of audit logs. This process does not require any additional set up or affect any
existing Amazon EKS control plane logging configurations that you might have.
When you disable EKS Audit Log Monitoring, GuardDuty immediately stops monitoring and analyzing the Kubernetes
audit logs for your Amazon EKS resources.
EKS Audit Log Monitoring may not be available in all the Amazon Web Services Regions where GuardDuty is available. For more information,
see Region-specific feature
availability.
How 30-day free trial period affects GuardDuty accounts
-
When you enable GuardDuty for the first time, EKS Audit Log Monitoring within EKS Protection
is already included in the 30-day free trial period.
-
The existing GuardDuty accounts can enable EKS Audit Log Monitoring for the first time with a 30-day free trial
period.
Choose your preferred access method to enable or disable EKS Audit Log Monitoring for a standalone account.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
-
In the navigation pane, choose EKS Protection.
-
Under the Configuration tab, you can view the current
configuration status of EKS Audit Log Monitoring. In the EKS Audit Log Monitoring section,
choose Enable to enable or Disable to disable the
EKS Audit Log Monitoring feature.
Choose Save.
- API/CLI
-
-
Run the updateDetector API operation using the regional detector ID
of the delegated GuardDuty administrator account and passing the features
object name as EKS_AUDIT_LOGS
and status
as ENABLED
or DISABLED
.
Alternatively, You can also enable or disable EKS Audit Log Monitoring running the a Amazon CLI command. The following
example code enables GuardDuty EKS Audit Log Monitoring. To disable it, replace ENABLED
with
DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
--features [{"Name" : "EKS_AUDIT_LOGS", "Status" : "ENABLED
"}]'
Configuring EKS Audit Log Monitoring in multiple-account
environments
In a multiple-account environment, only the delegated GuardDuty administrator account has the option to enable
or disable the EKS Audit Log Monitoring; feature for the member accounts in their organization. The GuardDuty member
accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account manages their
member accounts using Amazon Organizations. This delegated GuardDuty administrator account can choose to auto-enable EKS Audit Log Monitoring for all the
new accounts as they join the organization. For more information about multiple-account
environments, see Managing multiple accounts in Amazon GuardDuty.
Choose your preferred access method to configure EKS Audit Log Monitoring for the
delegated GuardDuty administrator account.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the management account credentials.
-
In the navigation pane, choose EKS Protection.
-
Under the Configuration tab, you can view the current
configuration status of EKS Audit Log Monitoring in the respective section.
To update the configuration for delegated GuardDuty administrator account, choose Edit in the
EKS Audit Log Monitoring pane.
Do one of the following:
Using Enable for all accounts
Using Configure accounts manually
To enable the protection plan only for the delegated GuardDuty administrator account account, choose
Configure accounts manually.
Choose Enable under the
delegated GuardDuty administrator account (this account) section.
Choose Save.
- API/CLI
-
Run the updateDetector API operation using your own regional detector ID and
passing the features
object name
as EKS_AUDIT_LOGS
and
status
as ENABLED
or DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
You can enable or disable EKS Audit Log Monitoring by running the following Amazon CLI command. Make sure
to use delegated GuardDuty administrator account's valid detector ID
.
The following example code enables EKS Audit Log Monitoring. Make sure to
replace 12abc34d567e8fa901bc2d34e56789f0
with the
detector-id
of the delegated GuardDuty administrator account and 555555555555
with the Amazon Web Services account of the delegated GuardDuty administrator account.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
--accountids 555555555555
--features '[{"Name": "EKS_AUDIT_LOGS", "Status": "ENABLED
"}]'
To disable EKS Audit Log Monitoring, replace
ENABLED
with DISABLED
.
Choose your preferred access method to enable the EKS Audit Log Monitoring for existing member accounts
in your organization.
- Console
-
Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
Do one of the following:
Using the EKS Protection page
In the navigation pane, choose
EKS Protection.
-
Under the Configuration tab, you can view the current status of
EKS Audit Log Monitoring for active member accounts in your organization.
To update the EKS Audit Log Monitoring configuration, choose Edit.
Choose Enable for all accounts. This action
automatically enables EKS Audit Log Monitoring for both the existing and new accounts in the
organization.
Choose Save.
It may take up to 24 hours to update the configuration for the member accounts.
Using the Accounts page
In the navigation pane, choose
Accounts.
On the Accounts page, choose Auto-enable preferences before
Add accounts by invitation.
In the Manage auto-enable preferences window, choose
Enable for all accounts under EKS Audit Log Monitoring.
Choose Save.
If you can't use the Enable for all accounts option and want to
customize EKS Audit Log Monitoring configuration for specific accounts in your organization,
see Selectively enable or disable
EKS Audit Log Monitoring for member accounts.
- API/CLI
-
To selectively enable or disable EKS Audit Log Monitoring for your member accounts, run the
updateMemberDetectors API operation using your own
detector ID
.
-
The following example shows how you can
enable EKS Audit Log Monitoring for a single member account. To disable it, replace ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"name": "EKS_AUDIT_LOGS", "status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector
settings for an account, that account ID is listed along with a summary of the
issue.
Choose your preferred access method to enable EKS Audit Log Monitoring for all existing active member accounts in the organization.
- Console
-
Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Sign in using the delegated GuardDuty administrator account credentials.
In the navigation pane, choose EKS Protection.
On the EKS Protection page,
you can view the current status of the
GuardDuty-initiated malware scan configuration.
Under the Active member accounts section,
choose Actions.
From the Actions dropdown menu,
choose Enable for all existing active member accounts.
Choose Save.
- API/CLI
-
To selectively enable or disable EKS Audit Log Monitoring for your member accounts, run the
updateMemberDetectors API operation using your own
detector ID
.
-
The following example shows how you can
enable EKS Audit Log Monitoring for a single member account. To disable it, replace ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"name": "EKS_AUDIT_LOGS", "status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector
settings for an account, that account ID is listed along with a summary of the
issue.
The newly added member accounts must Enable GuardDuty before selecting
configuring GuardDuty-initiated malware scan. The member accounts managed by invitation can configure GuardDuty-initiated malware scan manually for their
accounts. For more
information, see Step 3 - Accept an invitation.
Choose your preferred access method to enable EKS Audit Log Monitoring for new accounts that join
your organization.
- Console
-
The delegated GuardDuty administrator account can enable EKS Audit Log Monitoring for new member accounts
in an organization, using either the EKS Audit Log Monitoring or
Accounts page.
To auto-enable EKS Audit Log Monitoring for new member accounts
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the
delegated GuardDuty administrator account credentials.
-
Do one of the following:
- API/CLI
-
-
To selectively enable or disable EKS Audit Log Monitoring for your new accounts, run the UpdateOrganizationConfiguration API operation using your own
detector ID
.
-
The following example shows how you can enable EKS Audit Log Monitoring for the new
members that join your organization. You can
also pass a list of account IDs separated by a space.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0
--auto-enable --features '[{"Name": "EKS_AUDIT_LOGS", "AutoEnable": "NEW"}]'
Choose your preferred access method to enable or disable EKS Audit Log Monitoring for selective member
accounts in your organization.
- Console
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
-
In the navigation pane, choose
Accounts.
On the Accounts page, review the
EKS Audit Log Monitoring column for the status of your member account.
-
To enable or disable EKS Audit Log Monitoring
Select an account that you want to configure for EKS Audit Log Monitoring. You can select
multiple accounts at a time. Under the Edit Protection Plans
dropdown, choose EKS Audit Log Monitoring, and then choose the appropriate
option.
- API/CLI
-
To selectively enable or disable EKS Audit Log Monitoring for your member accounts, invoke the
updateMemberDetectors API operation using your own
detector ID
.
The following example shows how you can enable EKS Audit Log Monitoring for a single member
account. To disable it, replace ENABLED
with DISABLED
. You can
also pass a list of account IDs separated by a space.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.amazonaws.cn/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--accountids 111122223333
--features '[{"Name": "EKS_AUDIT_LOGS", "Status": "ENABLED
"}]'