Data Source

Amazon Elastic Kubernetes Service (EKS) audit logs containing API server requests, authentication decisions, and cluster activities in JSON format.

Ingestion Mechanism

CCF-based connector using AWS SQS notifications triggered by S3 object creation events. When EKS audit logs are exported to S3, SQS notifications trigger real-time ingestion into the AWSEKSLogs_CL custom table.

Architecture Components:

  • CloudFormation templates for AWS resource deployment
  • OIDC web identity provider for cross-account authentication
  • SQS queue for log file notifications
  • DCR with custom stream transformation

Detection Surface Unlocked

Kubernetes API Activity Monitoring:

  • API server request patterns and response codes
  • Authentication and authorisation decisions
  • Resource access attempts and modifications
  • Administrative user activity tracking

Key Security Visibility:

  • User field captures identity performing API operations
  • AuthDecision tracks authentication success/failure
  • Verb and ObjectRef detail specific Kubernetes operations
  • SourceIPs provides network attribution
  • ResponseCode indicates operation success/failure

Attack Surface Coverage:

  • Privilege escalation attempts via unauthorised API calls
  • Pod creation/modification for container breakout
  • Service account token abuse
  • Kubectl/API client reconnaissance activity
  • Cluster configuration tampering

This connector fills a critical gap in container security monitoring by providing standardised access to EKS control plane audit events that are essential for detecting Kubernetes-targeted attacks.

Affected Files

Solutions/AWS EKS/Data Connectors/AWSEKS_ConnectorDefinition.json
Solutions/AWS EKS/Data Connectors/AWSEKS_DCR.json
Solutions/AWS EKS/Data Connectors/AWSEKS_PollingConfig.json
Solutions/AWS EKS/Data Connectors/AWSEKS_Table.json
Solutions/AWS EKS/Data Connectors/CloudFormationTemplates/AWS_EKS_Resources_Deployment.json
Solutions/AWS EKS/Data Connectors/CloudFormationTemplates/OIDC_Web_Identity_Provider.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AWSEKS.json, createUiDefinition.json, mainTemplate.json)