GuardDuty detector has EKS Audit Log Monitoring enabled
guardduty_eks_audit_log_enabled
Amazon GuardDuty detectors are evaluated for EKS Audit Log Monitoring (EKS_AUDIT_LOGS) being enabled to analyze Kubernetes audit activity from your Amazon EKS clusters.
Risk
Without it, Kubernetes API abuse may go undetected, impacting CIA:
- Secret access and data exfiltration
- RBAC changes enabling privilege escalation
- Rogue deployments for persistence/cryptomining
Attackers can laterally move to AWS using harvested credentials.
prowler aws --checks guardduty_eks_audit_log_enabled
Recommendation
Enable EKS Audit Log Monitoring on all detectors in every required Region, centrally managed by the GuardDuty administrator.
- Route findings to alerting/IR workflows
- Enforce least privilege on access to findings and configs
- Combine with defense-in-depth: hardened RBAC and runtime monitoring
Remediation
aws guardduty update-detector --detector-id <detector-id> --features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'
- Open the AWS Console and go to Amazon GuardDuty
- Select the Region where you want to enable it
- In the left menu, click EKS Protection
- Click Enable and confirm
- If using AWS Organizations, perform these steps in the delegated GuardDuty administrator account
Source Code
Resource Type
AwsGuardDutyDetector