Views:

Amazon EKS audit logs are available through CloudWatch Logs. Use the k8saudit-eks Falco plugin.

Before you begin

  • Falco built with k8saudit-eks and json plugins.
  • EKS cluster with control plane logging enabled.

Procedure

  1. Enable control plane logging in the AWS Console.
    1. Navigate to your EKS cluster.
    2. Go to ObservabilityControl plane logging.
    3. Enable Audit logging.
  2. Configure IAM permissions in the AWS Console.
    1. Navigate to ComputeNode groups, and the click node group name.
    2. Click Node IAM role ARN to open IAM.
    3. Add the following inline policy:
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadAccessToCloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:Describe*",
        "logs:FilterLogEvents",
        "logs:Get*",
        "logs:List*"
      ],
      "Resource": [
        "arn:aws:logs:${region}:${account-id}:log-group:/aws/eks/${cluster-name}/cluster:*"
      ]
    }
  ]
}
    Replace ${region}, ${account-id}, and ${cluster-name} with your values.
  3. Update the overrides.yaml to enable audit log collection.
    visionOne:
    bootstrapToken: ...
    endpoint: ...
    exclusion:
        namespaces: [kube-system]
    ...
auditLogCollection:
    enabled: true
    provider: eks
    eks:
        region: "${your cluster's region}"
        clusterName: "${your cluster's name in aws console}"
Troubleshooting: NoCredentialProviders Error
If you see Error: NoCredentialProviders: no valid providers in chain:
Cause: Container cannot reach IMDS because of a hop limit.
Solution:
# Get instance ID
INSTANCE_ID=$(aws ec2 describe-instances --region <region> \
  --filters "Name=private-dns-name,Values=<node-name>" \
  --query "Reservations[0].Instances[0].InstanceId" --output text)

# Increase hop limit
aws ec2 modify-instance-metadata-options --region <region> \
  --instance-id $INSTANCE_ID \
  --http-put-response-hop-limit 2

# Restart pod
kubectl delete pod -n trendmicro-system <pod-name>