EKS cluster has control plane logging enabled for api, audit, authenticator, controllerManager, and scheduler
eks_control_plane_logging_all_types_enabled
Amazon EKS clusters are evaluated for control plane logging coverage of required types: api, audit, authenticator, controllerManager, scheduler.
The finding identifies clusters where any of these log types are not configured.
Risk
Gaps in control plane logging reduce visibility across the cluster.
- Confidentiality: undetected API access, RBAC abuse, token misuse
- Integrity: untraceable config changes and policy edits
- Availability: scheduler/controller issues lack evidence, delaying recovery and masking attacker persistence
prowler aws --checks eks_control_plane_logging_all_types_enabled
Recommendation
Enable and standardize EKS control plane logging for all required types ["api","audit","authenticator","controllerManager","scheduler"].
Apply least privilege to log access, set retention and alerts, and centralize analysis to support defense in depth, rapid detection, and reliable forensics.
Remediation
aws eks update-cluster-config --name <cluster_name> --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
- In the AWS console, go to Amazon EKS and open your cluster
- Open the Observability (or Logging) tab and click Manage logging
- Turn on: api, audit, authenticator, controllerManager, scheduler
- Click Save changes
Source Code
Resource Type
AwsEksCluster
References
- https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html
- https://support.icompaas.com/support/solutions/articles/62000233623-ensure-eks-control-plane-logging-is-enabled-for-all-required-log-types
- https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
- https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/kubernetes-eks-logging.html