diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md index c891d5442f..eaefab1f67 100644 --- a/docs/tutorials/configuration_file.md +++ b/docs/tutorials/configuration_file.md @@ -43,6 +43,7 @@ The following list includes all the AWS checks with configurable variables that | `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_interface_types` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_instance_owners` | List of Strings | | `acm_certificates_expiration_check` | `days_to_expire_threshold` | Integer | +| `eks_control_plane_logging_all_types_enabled` | `eks_required_log_types` | List of Strings | ## Azure @@ -355,6 +356,18 @@ aws: # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 + # AWS EKS Configuration + # aws.eks_control_plane_logging_all_types_enabled + # EKS control plane logging types that must be enabled + eks_required_log_types: + [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ] + # Azure Configuration azure: # Azure Network Configuration diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml index 90dd925aaa..abedf71af1 100644 --- a/prowler/config/config.yaml +++ b/prowler/config/config.yaml @@ -272,6 +272,18 @@ aws: # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 + # AWS EKS Configuration + # aws.eks_control_plane_logging_all_types_enabled + # EKS control plane logging types that must be enabled + eks_required_log_types: + [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ] + # Azure Configuration azure: # Azure Network Configuration diff --git a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json index d35ac30f10..3c5e4036ed 100644 --- a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +++ b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json @@ -1,7 +1,7 @@ { "Provider": "aws", "CheckID": "eks_control_plane_logging_all_types_enabled", - "CheckTitle": "Ensure EKS Control Plane Audit Logging is enabled for all log types", + "CheckTitle": "Ensure EKS Control Plane Logging is enabled for all required log types", "CheckType": [ "Logging and Monitoring" ], @@ -10,8 +10,8 @@ "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", "Severity": "medium", "ResourceType": "AwsEksCluster", - "Description": "Ensure EKS Control Plane Audit Logging is enabled for all log types", - "Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.", + "Description": "Ensure EKS Control Plane Logging is enabled for all required log types", + "Risk": "If logs are not enabled, monitoring of service use or threat analysis is not possible.", "RelatedUrl": "", "Remediation": { "Code": { @@ -21,7 +21,7 @@ "Terraform": "https://docs.prowler.com/checks/aws/kubernetes-policies-1/bc_aws_kubernetes_4#fix---buildtime" }, "Recommendation": { - "Text": "Make sure you logging for EKS control plane is enabled.", + "Text": "Make sure logging for EKS control plane is enabled for all required log types.", "Url": "https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html" } }, diff --git a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py index 78c741f444..ef030cd6db 100644 --- a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py +++ b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py @@ -5,6 +5,9 @@ from prowler.providers.aws.services.eks.eks_client import eks_client class eks_control_plane_logging_all_types_enabled(Check): def execute(self): findings = [] + required_log_types = eks_client.audit_config.get("eks_required_log_types", []) + required_log_types_str = ", ".join(required_log_types) + for cluster in eks_client.clusters: report = Check_Report_AWS(self.metadata()) report.region = cluster.region @@ -12,24 +15,13 @@ class eks_control_plane_logging_all_types_enabled(Check): report.resource_arn = cluster.arn report.resource_tags = cluster.tags report.status = "FAIL" - report.status_extended = ( - f"Control plane logging is not enabled for EKS cluster {cluster.name}." - ) + report.status_extended = f"Control plane logging is not enabled for EKS cluster {cluster.name}. Required log types: {required_log_types_str}." if cluster.logging and cluster.logging.enabled: - if all( - item in cluster.logging.types - for item in [ - "api", - "audit", - "authenticator", - "controllerManager", - "scheduler", - ] - ): + if all(item in cluster.logging.types for item in required_log_types): report.status = "PASS" - report.status_extended = f"Control plane logging enabled and correctly configured for EKS cluster {cluster.name}." + report.status_extended = f"Control plane logging and all required log types are enabled for EKS cluster {cluster.name}." else: - report.status_extended = f"Control plane logging enabled but not all log types collected for EKS cluster {cluster.name}." + report.status_extended = f"Control plane logging is enabled but not all required log types are enabled for EKS cluster {cluster.name}. Required log types: {required_log_types_str}. Enabled log types: {', '.join(cluster.logging.types)}." findings.append(report) return findings diff --git a/tests/config/config_test.py b/tests/config/config_test.py index 09a2f61c31..23e05d1e83 100644 --- a/tests/config/config_test.py +++ b/tests/config/config_test.py @@ -62,6 +62,13 @@ old_config_aws = { "organizations_trusted_delegated_administrators": [], "check_rds_instance_replicas": False, "days_to_expire_threshold": 7, + "eks_required_log_types": [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ], } config_aws = { "mute_non_default_regions": False, @@ -255,6 +262,13 @@ config_aws = { ], "check_rds_instance_replicas": False, "days_to_expire_threshold": 7, + "eks_required_log_types": [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ], } config_azure = { diff --git a/tests/config/fixtures/config.yaml b/tests/config/fixtures/config.yaml index 90dd925aaa..6a30cc67ef 100644 --- a/tests/config/fixtures/config.yaml +++ b/tests/config/fixtures/config.yaml @@ -272,6 +272,19 @@ aws: # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 + # AWS EKS Configuration + # aws.eks_control_plane_logging_all_types_enabled + # EKS control plane logging types that must be enabled + eks_required_log_types: + [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ] + + # Azure Configuration azure: # Azure Network Configuration diff --git a/tests/config/fixtures/config_old.yaml b/tests/config/fixtures/config_old.yaml index 80493b637a..95df114d01 100644 --- a/tests/config/fixtures/config_old.yaml +++ b/tests/config/fixtures/config_old.yaml @@ -80,3 +80,16 @@ check_rds_instance_replicas: False # AWS ACM Configuration # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 + +# AWS EKS Configuration +# aws.eks_control_plane_logging_all_types_enabled +# EKS control plane logging types that must be enabled +eks_required_log_types: + [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ] + diff --git a/tests/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled_test.py b/tests/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled_test.py index cee106aa80..bfb55ff918 100644 --- a/tests/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled_test.py +++ b/tests/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled_test.py @@ -74,6 +74,15 @@ class Test_eks_control_plane_logging_all_types_enabled: ), ) ) + eks_client.audit_config = { + "eks_required_log_types": [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ] + } with mock.patch( "prowler.providers.aws.services.eks.eks_service.EKS", @@ -88,7 +97,7 @@ class Test_eks_control_plane_logging_all_types_enabled: assert len(result) == 1 assert result[0].status == "FAIL" assert search( - "Control plane logging enabled but not all log types collected", + "Control plane logging is enabled but not all required log types are enabled for EKS cluster cluster_test. Required log types: api, audit, authenticator, controllerManager, scheduler. Enabled log types: api, audit, authenticator, controllerManager.", result[0].status_extended, ) assert result[0].resource_id == cluster_name @@ -114,6 +123,15 @@ class Test_eks_control_plane_logging_all_types_enabled: ), ) ) + eks_client.audit_config = { + "eks_required_log_types": [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", + ] + } with mock.patch( "prowler.providers.aws.services.eks.eks_service.EKS", @@ -128,7 +146,7 @@ class Test_eks_control_plane_logging_all_types_enabled: assert len(result) == 1 assert result[0].status == "PASS" assert search( - "Control plane logging enabled and correctly configured", + "Control plane logging and all required log types are enabled for EKS cluster", result[0].status_extended, ) assert result[0].resource_id == cluster_name