Posted On: Jul 26, 2022

Amazon Detective now helps to analyze, investigate, and identify the root cause of security findings or suspicious control plane activity on Amazon Elastic Kubernetes Service (Amazon EKS) clusters. Amazon Detective uses Amazon EKS audit logs to automatically extract new entities, such as EKS clusters, container pods, and user accounts, and then builds a profile for each of the entities based on their activity history. Detective then layers the entity profiles with Amazon GuardDuty Kubernetes Protection findings that are created when potential threats or suspicious behavior are identified on your Amazon EKS clusters. This new Detective capability can assist you to more quickly answers questions such as: which Kubernetes API methods were called by a Kubernetes user account showing signs of compromise, which pods are hosted in an Amazon Elastic Compute Cloud (Amazon EC2) instance that was included in a Amazon GuardDuty finding, or which containers were spawned from a potentially malicious container image.

Amazon EKS audit logging provides audit and diagnostic logs that make it easier for you to secure and run your Amazon EKS clusters. Starting today, you can enable Amazon EKS audit logs as a new data source in Amazon Detective with one-click in the AWS Management Console. Amazon Detective automatically analyzes these logs to monitor anomalous actions, identify security issues as they occur within your Amazon EKS cluster, and help you answer questions like: What are the details about a security event? When did it happen? Who initiated it? To further simplify your security investigation, clicking on Amazon GuardDuty Kubernetes Protection findings in the Amazon GuardDuty console starts a guided investigative experience that can assist you in identifying the root cause of the finding, evaluating the potential impact on other resources, and delivering contextual details that can help your application and operations teams respond to the situation quicker. To read more about Amazon Detective support for Amazon EKS, see the Amazon Detective User Guide.

The first 30 days of enabling EKS audit logs as a data source in Detective are available at no additional charge for existing Detective accounts. For new accounts, EKS audit logs as a data source is automatically enabled, and is part of the 30-day Amazon Detective free trial. During the trial period, you can see what the estimated cost of running the service will be after the trial period ends in the Detective Management Console. Support for EKS audit logs is available in all AWS Regions where Detective is available. To learn more, visit the Amazon Detective product page.