{"id":21392215,"url":"https://github.com/sysdiglabs/ekscloudwatch","last_synced_at":"2025-08-01T20:43:43.072Z","repository":{"id":45664694,"uuid":"224051926","full_name":"sysdiglabs/ekscloudwatch","owner":"sysdiglabs","description":"Forward EKS CloudWatch k8s audit events to Sysdig secure","archived":false,"fork":false,"pushed_at":"2023-02-14T15:27:11.000Z","size":361,"stargazers_count":25,"open_issues_count":4,"forks_count":8,"subscribers_count":3,"default_branch":"master","last_synced_at":"2023-03-02T17:22:39.297Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-25T22:16:48.000Z","updated_at":"2023-01-13T17:21:54.000Z","dependencies_parsed_at":"2023-01-31T14:05:27.425Z","dependency_job_id":null,"html_url":"https://github.com/sysdiglabs/ekscloudwatch","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fekscloudwatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fekscloudwatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fekscloudwatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fekscloudwatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/ekscloudwatch/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225908384,"owners_count":17543475,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T13:39:37.570Z","updated_at":"2024-11-22T13:39:38.020Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Go","readme":"# EKS audit integration example\n\nThe following instructions show how to deploy a simple application that reads EKS Kubernetes audit logs and forwards them to the Sysdig Secure agent.\nThe steps below show an example configuration implemented with the AWS console, but the same can be done with scripts, API calls or Infrastructure-as-Code configurations.\n\nThese instructions have been tested with eks.5 on Kubernetes v1.14.\n\n## EKS setup: enable CloudWatch audit logs\n\nYour EKS cluster needs be configured to forward audit logs to CloudWatch, which is disabled by default.\n\n1. Open the EKS dashboard from the AWS console\n1. Select your cluster \u003e _Logging_ \u003e _Update_ and enable _Audit_\n\n![Audit Enabled](readme_img/audit_logs.png)\n\n## EKS setup: configure the VPC endpoint\n\nYour VPC needs an endpoint for the service `com.amazonaws.\u003cyour-region\u003e.logs`, accessible from all the EKS security groups.\n\n1. Open the VPC dashboard from the AWS console\n1. Select _Endpoints_ \u003e _Create Endpoints_\n1. Select _Find service by name_, enter `com.amazonaws.\u003cyour-region\u003e.logs` and click \"Verify\".\n1. Under VPC select your cluster's VPC\n1. Select all security groups\n\n## EKS setup: configure EC2 instance profiles and roles\n\nThe EC2 instances that make up your EKS cluster must have the necessary permission to read CW logs. Usually they all use the same IAM Role, so that is the one to configure.\n\n1. Open the EC2 dashboard from the AWS console\n1. Select the AWS EC2 instances that are configured as cluster nodes\n1. Select the associated IAM Role, which should be the same for all nodes\n1. Find the policy `CloudWatchReadOnlyAccess` and attach it\n\n![Permissions](readme_img/attach_permissions.png)\n\n## Deploy the client and its configmap\n\nWe can now deploy the log forwarder itself along with its configmap.\n\n```\n$ kubectl --namespace sysdig-agent apply -f ./ekscloudwatch-config.yaml\nconfigmap/ekscloudwatch-config created\n$ kubectl --namespace sysdig-agent apply -f ./deployment.yaml\ndeployment.apps/eks-cloudwatch created\n```\n\nTo check if the forwarder is configured and working correctly you can check the logs for the pod that you just deployed in the `sysdig-agent` namespace. \n\nYou should see k8s audit related events in the Sysdig Secure dashboard.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fekscloudwatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fekscloudwatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fekscloudwatch/lists"}