Event logging monitoring, auditing and logging - Architecting for HIPAA Security and Compliance on Amazon EKS

Event logging monitoring, auditing and logging

It is a best practice to use event logging mechanisms to track, monitor, and alert on potentially anomalous activities.

In order to achieve this, consider the following:

  • Leverage AWS event log services to establish event log monitoring at the network, host, and container level.

  • Enable VPC Flow Logs to capture network traffic that details packet information, such as the protocol, port, and source and destination address information.

  • Monitor container hosts to ensure health, efficiency, and availability by ensuring Amazon CloudWatch or Amazon Kinesis agents are enabled and configured.

  • Enable event logging capabilities within the containerized applications to capture application and container event log data.

  • Use CloudWatch dashboard to monitor and alert on all captured event log activity.

  • Store the captured event data securely within encrypted Amazon S3 buckets to help you meet your retention needs.

Amazon EKS with Fargate supports a built-in log router, which means there are no sidecar containers to install or maintain. The log router allows you to use the breadth of services at AWS for log analytics and storage. You can stream logs from Fargate directly to Amazon CloudWatch, Amazon OpenSearch Service, and Amazon Data Firehose destinations such as Amazon S3, Amazon Kinesis Data Streams, and partner tools. Fargate uses a version of Fluent Bit, an upstream compliant distribution of Fluent Bit managed by AWS. For more information, see AWS for Fluent Bit on GitHub.

Finally, we recommend you maintain a holistic view of the environment through the use of AWS tools. Amazon GuardDuty provides threat detection through anomaly detection, machine learning, and threat intelligence of events across AWS data sources, including AWS CloudTrail and VPC Flow Logs. Amazon Athena and Amazon CloudWatch Logs Insights can also be used to query and analyze audit trail logs saved to Amazon S3 from VPC Flow Logs, AWS CloudTrail, and Amazon CloudWatch.

To summarize, consider the following points for monitoring and logging:

  • Enable EKS Cluster audit logs.

  • Use Kubernetes audit metadata annotations for authorization history tracking.

  • Create alarms for suspicious events.

  • Analyze logs with Amazon CloudWatch Log Insights.

  • Audit your AWS CloudTrail logs.