Alibaba Cloud Log Service supports collection, search, storage, and analysis for container and audit logs in Kubernetes Engine clusters. When enabled, it automatically collects kube-apiserver audit logs, ingress logs, and stdout/stderr from containers. These logs are stored persistently and are essential for operational visibility, security monitoring, and compliance auditing.
Risk
Without Log Service, there is no centralized collection of container logs or cluster events, impairing incident investigation, compliance auditing, and security monitoring. Attackers could operate undetected with no audit trail of API server calls or pod events, impacting cluster confidentiality and integrity.
prowler alibabacloud --checks cs_kubernetes_log_service_enabled
Recommendation
Enable Log Service during cluster creation by setting Enable Log Service to Enabled. For existing clusters, verify that AuditProjectName is configured in the cluster metadata.
Remediation
aliyun cs GET /clusters/<cluster_id> --header 'Content-Type=application/json' | jq '.meta_data' | jq -r 'fromjson | .AuditProjectName'
- Log on to the ACK Console.
- Select the target cluster and click its name to open the cluster detail page.
- Select Cluster Auditing on the left column and check if the audit page is shown.
- To enable: When creating a new cluster, set
Enable Log Serviceto Enabled.
Source Code
Resource Type
ALIYUN::CS::ManagedKubernetesCluster