Posted On: Jul 26, 2022
HAQM Detective now helps to analyze, investigate, and identify the root cause of security findings or suspicious control plane activity on HAQM Elastic Kubernetes Service (HAQM EKS) clusters. HAQM Detective uses HAQM EKS audit logs to automatically extract new entities, such as EKS clusters, container pods, and user accounts, and then builds a profile for each of the entities based on their activity history. Detective then layers the entity profiles with HAQM GuardDuty Kubernetes Protection findings that are created when potential threats or suspicious behavior are identified on your HAQM EKS clusters. This new Detective capability can assist you to more quickly answers questions such as: which Kubernetes API methods were called by a Kubernetes user account showing signs of compromise, which pods are hosted in an HAQM Elastic Compute Cloud (HAQM EC2) instance that was included in a HAQM GuardDuty finding, or which containers were spawned from a potentially malicious container image.
HAQM EKS audit logging provides audit and diagnostic logs that make it easier for you to secure and run your HAQM EKS clusters. Starting today, you can enable HAQM EKS audit logs as a new data source in HAQM Detective with one-click in the AWS Management Console. HAQM Detective automatically analyzes these logs to monitor anomalous actions, identify security issues as they occur within your HAQM EKS cluster, and help you answer questions like: What are the details about a security event? When did it happen? Who initiated it? To further simplify your security investigation, clicking on HAQM GuardDuty Kubernetes Protection findings in the HAQM GuardDuty console starts a guided investigative experience that can assist you in identifying the root cause of the finding, evaluating the potential impact on other resources, and delivering contextual details that can help your application and operations teams respond to the situation quicker. To read more about HAQM Detective support for HAQM EKS, see the HAQM Detective User Guide.
The first 30 days of enabling EKS audit logs as a data source in Detective are available at no additional charge for existing Detective accounts. For new accounts, EKS audit logs as a data source is automatically enabled, and is part of the 30-day HAQM Detective free trial. During the trial period, you can see what the estimated cost of running the service will be after the trial period ends in the Detective Management Console. Support for EKS audit logs is available in all AWS Regions where Detective is available. To learn more, visit the HAQM Detective product page.