GuardDuty EKS Protection - Amazon GuardDuty
EKS audit logs in EKS Protection
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

GuardDuty EKS Protection

EKS Protection helps you detect potential security risks in Amazon Elastic Kubernetes Service (Amazon EKS) clusters in your Amazon environment. For example, it helps you detect when a misconfigured EKS cluster is being accessed by an unauthenticated actor that attempts to collect secrets or Amazon credentials from your cluster. EKS Protection uses EKS audit logs to analyze activities of users and applications.

When you enable EKS Protection, GuardDuty automatically starts monitoring your Amazon EKS clusters for potential security threats. GuardDuty uses its own independent stream to collect and analyze EKS audit logs in EKS Protection – no additional configuration is required.

When GuardDuty detects a potential threat based on EKS audit log monitoring, it generates a security finding. For information about the finding types that GuardDuty may generate when you enable EKS Protection, see EKS Protection finding types.

Note

To view EKS audit logs in your account (optional), you can configure Amazon EKS control plane logging to send audit logs to CloudWatch Logs. This configuration is separate from EKS Protection and is not required for security monitoring capability in GuardDuty.

30-day free trial

  • When you enable GuardDuty in an Amazon Web Services account in an Amazon Web Services Region for the first time, you get a 30-day free trial. In this case, GuardDuty will also enable EKS Protection, which is included in the 30-day free trial.

  • When you are already using GuardDuty and decide to enable EKS Protection for the first time, your account in this Region will get a 30-day free trial for EKS Protection.

  • You can choose to disable EKS Protection in any Region at any time.

  • During the 30-day free trial, you can get an estimate of your usage costs in that account and Region. After the 30-day free trial ends, GuardDuty doesn't automatically disable EKS Protection. Your account in this Region will start incurring usage cost. For more information, see Estimating usage cost.

When you disable EKS Protection, GuardDuty immediately stops monitoring and analyzing the EKS audit logs for your Amazon EKS resources.

EKS Protection may not be available in all the Amazon Web Services Regions where GuardDuty is available. For more information, see Region-specific feature availability.

Note

EKS Runtime Monitoring is managed as a part of Runtime Monitoring. For more information, see GuardDuty Runtime Monitoring.

EKS audit logs in EKS Protection

EKS audit logs capture sequential actions within your Amazon EKS cluster, including activities from users, applications using the Kubernetes API, and the control plane. Audit logging is a component of all Kubernetes clusters.

For more information, see Auditing in the Kubernetes documentation.

Amazon EKS allows EKS audit logs to be ingested as Amazon CloudWatch Logs through the EKS control plane logging feature. GuardDuty doesn't manage your Amazon EKS control plane logging or make EKS audit logs accessible in your account if you have not enabled them for Amazon EKS. To manage access to and retention of your EKS audit logs, you must configure the Amazon EKS control plane logging feature. For more information, see Enabling and disabling control plane logs in the Amazon EKS User Guide.