Skip to main content
Source

This page is generated from skills/eks-security/references/audit-logging.md. Edit the source, not this page.

Layer 6 — Audit Logging & Forensics

Proving what happened is the backbone of every compliance audit. Three sources compound: Kubernetes-level (control-plane logs), AWS-API-level (CloudTrail), and network-level (VPC Flow Logs).

EKS control-plane logging — 5 log types (all to CloudWatch Logs)

Log typePurposeRecommended?
auditWho did what, when (Kubernetes-level)REQUIRED for compliance
authenticatorIAM / OIDC authentication eventsREQUIRED for compliance
controllerManagerController reconciliation loopRecommended for forensics
schedulerPod placement decisionsOptional (high volume)
apiKubernetes API serverRecommended for high-sensitivity workloads

For compliance regimes, always enable audit and authenticator at minimum. Reference: Send control plane logs to CloudWatch.

Gotcha: EKS audit-log filtering is not supported — it's all-or-nothing per log type. Large clusters can generate substantial audit-log volume → meaningful CloudWatch Logs cost. Budget for it and set a retention policy that meets the regime (below) without over-retaining.

CloudTrail — EKS API audit trail

Records all EKS API calls (CreateCluster, UpdateClusterConfig, AssociateAccessPolicy, …). Required for the audit trail of cluster-level configuration changes — and the reason Access Entries (which write through the EKS API) are auditable while aws-auth ConfigMap edits were not.

VPC Flow Logs — pod-level network forensics

Especially valuable combined with Security Groups for Pods (Layer 3), giving network-flow evidence at pod granularity for incident investigation and segmentation proof.

SIEM forwarding pattern

CloudWatch Logs subscription → Kinesis Data Streams → Firehose → SIEM destination (Splunk, Elastic, Datadog, Microsoft Sentinel). For federal workloads, Datadog has a FedRAMP High-certified solution.

Retention requirements by regime (set this deliberately)

RegimeMinimum audit-log retention
Commercial (no regime)per policy (often 30-90 days)
PCI-DSS1 year minimum (3 months immediately available)
HIPAA / SOX6 years
FedRAMPper System Security Plan; continuous-monitoring cadence

Apply the retention to the CloudWatch Logs groups holding audit/authenticator (and to CloudTrail/S3) — and encrypt those groups with a customer-managed KMS key for high-sensitivity workloads.

Shared responsibility (Layer 6)

AWS managesCustomer manages
Control-plane log generation; CloudTrail capture of EKS API calls; durability of CloudWatch Logs/S3Enabling the right log types; retention + encryption (CMK); SIEM pipeline; log review / alerting; forensic runbooks

Sources