AWS EKS
Connecting AWS EKS logs to your Panther Console
Overview
Panther supports ingesting Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) logs via AWS CloudWatch Logs.
EKS cannot send logs directly S3—instead, you'll need to direct your EKS logs to CloudWatch Logs, then configure a Kinesis Data Firehose to transport them to a S3 bucket, from which Panther will read them.
How to onboard AWS EKS logs to Panther
Step 1: Enable EKS control plane logging
Enabling EKS control plane logs means AWS will begin routing them to CloudWatch Logs.
Follow AWS's documentation to enable EKS control plane logging.
When configuring logging in the EKS Console, make sure to only enable logging for Audit and Authenticator log types, as Panther does not currently support the other log types.
Step 2: Configure the CloudWatch Logs source in the Panther Console
After you've enabled EKS control plane logging, your EKS audit and authenticator logs will be available in CloudWatch Logs. Now it's time to set up a CloudWatch Logs source in Panther.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Click the Custom Log Formats tile.
On the AWS CloudWatch Logs tile, click Start.
On the "Configure your source" page, fill in the fields:
Name: Enter a descriptive name of the CloudWatch Logs source.
Log Group Name: Enter the unique name of the CloudWatch Logs group. The name format of your AWS CloudWatch Logs LogGroup is
/aws/eks/{your_cluster_name}/clusterAWS Account ID: Enter the ID number for the AWS account that hosts the EKS cluster.
(optional) Pattern Filter: Enter a pattern on which to filter log events. See AWS's CloudWatch Logs pattern filter documentation to learn more.
Log Types: Select
Amazon.EKS.AuditandAmazon.EKS.Authenticator.
Click Setup.
Step 3: Set up the S3 bucket, Kinesis Data Firehose, and IAM role
Panther needs a variety of AWS resources to read objects from your CloudWatch Logs source. To configure these, Panther provides a CloudFormation template that sets up a S3 bucket, Kinesis Data Firehose, IAM role, and other necessary resources.
In the Panther Console, click Using the AWS Console UI. You will be redirected to the AWS CloudFormation console UI with the template pre-filled.
Note that you also have the options to download the template and apply it through your own pipeline, or to configure the resources manually. For more details, see the CloudWatch Logs Source documentation.
Install the CloudFormation stack template into the AWS account ID and region that hosts the EKS cluster.
Make sure to wait for the CloudFormation stack creation to complete.
When the CloudFormation stack is ready, fill in the Bucket Name and Role ARN in the Panther Console.
After the CloudFormation stack creation is complete, you can find the resource ARNs in the "Outputs" section of the stack in AWS.
Step 4: Finish source setup in Panther
You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Panther-built detections
See Panther's prewritten AWS rules in the panther-analysis GitHub repository.
Supported AWS EKS log types
Panther supports Amazon.EKS.Audit and Amazon.EKS.Authenticator logs.
Amazon.EKS.Audit
EKS audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see AWS's documentation on EKS control plane logs.
Amazon.EKS.Authenticator
These logs represent the control plane component that EKS uses for Kubernetes Role Based Access Control (RBAC) authentication using IAM credentials. For more information, see AWS's documentation on EKS control plane logs.
Last updated
