EKS.8: EKS clusters should have audit logging

What does AWS Security Hub EKS.8 check?

EKS.8 fails when a cluster does not have the Kubernetes `audit` control-plane log type enabled. This is distinct from the always-on infrastructure logging people assume they already have.

Why does EKS.8 matter?

When audit logging is off, the control plane does not buffer events for later — it never generates the records at all. So during an incident, teams who discover audit logging was off get nothing for the period before they turned it on, not a partial trail. It is installing the security camera after the burglary: the fix takes seconds, but the missing window is permanent.

How do I fix EKS.8?

1. Inspect each cluster's logging configuration with the CLI to see which log types are enabled.
2. Enable the `audit` log type (alongside the others you need) so events flow to CloudWatch Logs.
3. Size and budget the CloudWatch ingestion, since busy clusters can produce significant audit volume.
4. Do not confuse this control-plane audit log with GuardDuty EKS Audit Log Monitoring; default new clusters to audit logging on.

# Enable the EKS audit log type (non-disruptive), then bound the cost with retention.
aws eks update-cluster-config \
  --name prod-platform \
  --logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

aws logs put-retention-policy \
  --log-group-name /aws/eks/prod-platform/cluster \
  --retention-in-days 90

# Turn on GuardDuty EKS Audit Log Monitoring and auto-enable for the whole org.
DETECTOR=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
aws guardduty update-detector --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'
aws guardduty update-organization-configuration --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","AutoEnable":"ALL"}]'