Missing Cluster Log Types
- Query id: 66f130d9-b81d-4e8e-9b08-da74b9c891df
- Query name: Missing Cluster Log Types
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
Amazon EKS control plane logging don't enabled for all log types
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
variable "cluster_name" {
default = "example"
type = string
}
resource "aws_eks_cluster" "positive1" {
depends_on = [aws_cloudwatch_log_group.example]
enabled_cluster_log_types = ["api", "audit"]
name = var.cluster_name
# ... other configuration ...
}
resource "aws_cloudwatch_log_group" "positive2" {
name = "/aws/eks/${var.cluster_name}/cluster"
retention_in_days = 7
# ... potentially other configuration ...
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
variable "cluster_name" {
default = "example"
type = string
}
resource "aws_eks_cluster" "negative1" {
depends_on = [aws_cloudwatch_log_group.example]
enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
name = var.cluster_name
# ... other configuration ...
}
resource "aws_cloudwatch_log_group" "negative2" {
name = "/aws/eks/${var.cluster_name}/cluster"
retention_in_days = 7
# ... potentially other configuration ...
}