GuardDuty EKS Audit Log Monitoring Enabled
Overview
This check verifies that Amazon GuardDuty has EKS Audit Log Monitoring enabled. When active, GuardDuty analyzes Kubernetes audit logs from your Amazon EKS clusters to detect suspicious activity such as unauthorized access attempts, privilege escalation, or malicious deployments.
Risk
Without EKS Audit Log Monitoring enabled, you lose visibility into potentially malicious activity within your Kubernetes clusters. Attackers could:
- Access secrets and exfiltrate sensitive data without detection
- Modify RBAC permissions to escalate privileges
- Deploy rogue workloads for cryptomining or persistence
- Use harvested credentials to move laterally within your AWS environment
Severity: High
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify GuardDuty settings
- GuardDuty must already be enabled in your account (this check enables an additional feature)
- For AWS Organizations: you must be in the delegated GuardDuty administrator account
AWS Console Method
- Sign in to the AWS Console and navigate to GuardDuty
- Make sure you are in the us-east-1 region (or your target region)
- In the left navigation, click EKS Protection (under "Protection plans")
- Click the Enable button for EKS Audit Log Monitoring
- Confirm when prompted
For organizations with multiple accounts, enable this from the delegated administrator account to apply the setting across member accounts.
AWS CLI (optional)
First, get your GuardDuty detector ID:
aws guardduty list-detectors --region us-east-1
Then enable EKS Audit Log Monitoring:
aws guardduty update-detector \
--detector-id <your-detector-id> \
--features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]' \
--region us-east-1
Replace <your-detector-id> with the detector ID from the first command.
CloudFormation (optional)
If you are creating a new GuardDuty detector with EKS Audit Log Monitoring enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty EKS Audit Log Monitoring
Resources:
GuardDutyDetector:
Type: AWS::GuardDuty::Detector
Properties:
Enable: true
Features:
- Name: EKS_AUDIT_LOGS
Status: ENABLED
Note: CloudFormation creates new resources. If you already have a GuardDuty detector, use the AWS CLI or Console method to update it, or import the existing detector into your stack.
Terraform (optional)
To enable EKS Audit Log Monitoring on an existing GuardDuty detector:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
# Reference existing GuardDuty detector
data "aws_guardduty_detector" "existing" {}
# Enable EKS Audit Log Monitoring
resource "aws_guardduty_detector_feature" "eks_audit_logs" {
detector_id = data.aws_guardduty_detector.existing.id
name = "EKS_AUDIT_LOGS"
status = "ENABLED"
}
If creating a new detector with the feature enabled:
resource "aws_guardduty_detector" "main" {
enable = true
datasources {
kubernetes {
audit_logs {
enable = true
}
}
}
}
Verification
After enabling, verify the setting is active:
- In the GuardDuty console, navigate to EKS Protection
- Confirm that EKS Audit Log Monitoring shows as Enabled
CLI verification
aws guardduty get-detector \
--detector-id <your-detector-id> \
--region us-east-1 \
--query 'Features[?Name==`EKS_AUDIT_LOGS`]'
The output should show "Status": "ENABLED".
Additional Resources
- EKS Protection - Enable Standalone Account
- Kubernetes Protection in GuardDuty
- GuardDuty Controls (Security Hub)
Notes
- No additional cost for EKS clusters: GuardDuty EKS Audit Log Monitoring is included in the GuardDuty pricing; you pay based on the volume of audit logs analyzed.
- Regional service: You must enable this feature in each AWS region where you have EKS clusters.
- Defense in depth: Consider combining this with EKS Runtime Monitoring, Pod Security Standards, and network policies for comprehensive cluster security.
- Finding management: Route GuardDuty findings to your alerting and incident response workflows (e.g., via EventBridge to SNS, Slack, or your SIEM).