Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(aws): make check eks_control_plane_logging_all_types_enabled configurable #4553

Merged
merged 4 commits into from
Jul 26, 2024
Merged

feat(aws): make check eks_control_plane_logging_all_types_enabled configurable #4553

merged 4 commits into from
Jul 26, 2024

Conversation

kagahd
Copy link
Contributor

@kagahd kagahd commented Jul 26, 2024
edited
Loading

Context

The prowler check eks_control_plane_logging_all_types_enabled verifies that all possible AWS EKS control plan logging types are enabled and fails if not.

Description

AWS EKS Control plane has five different log types:

  • API server
    • Logs pertaining to API requests to the cluster.
  • Audit
    • Logs pertaining to cluster access via the Kubernetes API.
  • Authenticator
    • Logs pertaining to authentication requests into the cluster.
  • Controller manager
    • Logs pertaining to state of cluster controllers.
  • Scheduler
    • Logs pertaining to scheduling decisions.

While we understand that all five log types can be beneficial to improve IT security, they are of varying importance for IT security. Since logging can be expensive depending on the use case, companies should be able to decide which log types they require for optimum IT security at balanced cost.
Therefore the check eks_control_plane_logging_all_types_enabled should be configurable, which this PR implements.
The default configuration is still that all log types must be enabled to PASS the check, so nothing changes, unless the user decides otherwise by customizing their prowler configuration specifically to their needs.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@kagahd kagahd requested review from a team as code owners July 26, 2024 09:25
@github-actions github-actions bot added documentation provider/aws Issues/PRs related with the AWS provider labels Jul 26, 2024
@codecov Codecov
Copy link

codecov bot commented Jul 26, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.90%. Comparing base (5a8a928) to head (73d1bc8).
Report is 521 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4553      +/-   ##
==========================================
- Coverage   88.91%   88.90%   -0.01%     
==========================================
  Files         907      907              
  Lines       27608    27610       +2     
==========================================
  Hits        24547    24547              
- Misses       3061     3063       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jfagoagas jfagoagas changed the title fix(aws) make check eks_control_plane_logging_all_types_enabled configurable fix(aws): make check eks_control_plane_logging_all_types_enabled configurable Jul 26, 2024
@sergargar sergargar changed the title fix(aws): make check eks_control_plane_logging_all_types_enabled configurable fix(aws): make check eks_control_plane_logging_all_types_enabled configurable Jul 26, 2024
@sergargar sergargar changed the title fix(aws): make check eks_control_plane_logging_all_types_enabled configurable feat(aws): make check eks_control_plane_logging_all_types_enabled configurable Jul 26, 2024
sergargar
sergargar approved these changes Jul 26, 2024
View reviewed changes
Copy link
Member

@sergargar sergargar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this @kagahd ! The main reason of that logic was because the control 2.1.1 of the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark requires all log types to be enabled.

@sergargar sergargar merged commit 02fc034 into prowler-cloud:master Jul 26, 2024
11 of 12 checks passed
@kagahd kagahd deleted the eks_control_plane_logging_all_types_enabled branch July 26, 2024 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergargar sergargar sergargar approved these changes

Assignees
No one assigned
Labels
documentation provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kagahd @sergargar