GuardDuty.5: GuardDuty EKS audit log monitoring is off

What does AWS Security Hub GuardDuty.5 check?

GuardDuty.5 fails when EKS Audit Log Monitoring is not enabled on the GuardDuty detector. This feature reads the Kubernetes control-plane audit log — the stream recording every API call EKS already produces — and is agentless: no DaemonSet, no node agent.

Why does GuardDuty.5 matter?

The EKS API server brokers every meaningful action in a cluster — who created a pod, read a secret, bound a role, deleted a namespace — and attackers who gain a foothold almost always interact with it for enumeration and privilege escalation. Without audit-log monitoring those moves pass unseen on the most attacker-active surface in Kubernetes. Because it's agentless, the only cost of not having it is a usage-based fee you forgo.

How do I fix GuardDuty.5?

1. Enable EKS Audit Log Monitoring on the GuardDuty detector.
2. GuardDuty consumes the control-plane logs automatically — no cluster-side agent is required.
3. Confirm coverage shows your EKS clusters as monitored.
4. Route the resulting findings into your incident-response workflow.

# Enable the EKS audit log type (non-disruptive), then bound the cost with retention.
aws eks update-cluster-config \
  --name prod-platform \
  --logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

aws logs put-retention-policy \
  --log-group-name /aws/eks/prod-platform/cluster \
  --retention-in-days 90

# Turn on GuardDuty EKS Audit Log Monitoring and auto-enable for the whole org.
DETECTOR=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
aws guardduty update-detector --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'
aws guardduty update-organization-configuration --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","AutoEnable":"ALL"}]'