Skip to content

Commit 0f74715

Browse files
zaklawrenceazaklawrencea
committed
Add initial configuration for EKS Control Plane logging SIEM integration
1 parent 91d8220 commit 0f74715

File tree

4 files changed

+92
-1
lines changed

4 files changed

+92
-1
lines changed

cluster/cluster.yaml

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,85 @@ Resources:
166166
Properties:
167167
LogGroupName: "/aws/eks/{{.Cluster.Name}}/cluster"
168168
RetentionInDays: 545
169+
{{- if eq .Cluster.ConfigItems.eks_siem_logging "true" }}
170+
EKSControlPlaneSubscriptionFilter:
171+
Type: AWS::Logs::SubscriptionFilter
172+
Properties:
173+
LogGroupName: !Ref ControlPlaneLogGroup
174+
RoleArn: !GetAtt EKSControlPlaneCWtoFirehoseRole.Arn
175+
FilterName: "EKSCtrlPlaneLogs-{{.Cluster.Name}}"
176+
FilterPattern: ""
177+
DestinationArn: !GetAtt EKSControlPlaneLogsDataFirehose.Arn
178+
EKSControlPlaneLogsDataFirehose:
179+
Type: AWS::KinesisFirehose::DeliveryStream
180+
Properties:
181+
DeliveryStreamName: "EKSCtrlPlaneDeliveryStream-{{.Cluster.Name}}"
182+
DeliveryStreamType: DirectPut
183+
HttpEndpointDestinationConfiguration:
184+
EndpointConfiguration:
185+
AccessKey: "{{.Cluster.ConfigItems.eks_siem_key}}"
186+
Url: "{{.Cluster.ConfigItems.eks_siem_endpoint}}"
187+
RetryOptions:
188+
DurationInSeconds: 300
189+
S3BackupMode: "FailedDataOnly"
190+
S3Configuration:
191+
BucketARN: "{{.Cluster.ConfigItems.eks_siem_bucket}}"
192+
RoleARN: !GetAtt EKSControlPlaneFirehoseS3Role.Arn
193+
EKSControlPlaneFirehoseS3Role:
194+
Type: AWS::IAM::Role
195+
Properties:
196+
AssumeRolePolicyDocument:
197+
Version: "2012-10-17"
198+
Statement:
199+
- Effect: Allow
200+
Principal:
201+
Service:
202+
- firehose.amazonaws.com
203+
Action:
204+
- 'sts:AssumeRole'
205+
Path: /
206+
Policies:
207+
- PolicyName: root
208+
PolicyDocument:
209+
Version: "2012-10-17"
210+
Statement:
211+
- Effect: Allow
212+
Action:
213+
- 's3:PutObject'
214+
- 's3:GetObject'
215+
- 's3:ListBucketMultipartUploads'
216+
- 's3:AbortMultipartUpload'
217+
- 's3:ListBucket'
218+
- 's3:GetBucketLocation'
219+
Resource:
220+
- "{{.Cluster.ConfigItems.eks_siem_bucket}}"
221+
RoleName: "EKSCtrlPlaneFirehosetoS3-{{.Cluster.Name}}"
222+
EKSControlPlaneCWtoFirehoseRole:
223+
Type: AWS::IAM::Role
224+
Properties:
225+
AssumeRolePolicyDocument:
226+
Version: "2012-10-17"
227+
Statement:
228+
- Effect: Allow
229+
Principal:
230+
Service:
231+
- "logs.amazonaws.com"
232+
Action:
233+
- "sts:AssumeRole"
234+
Path: /
235+
Policies:
236+
- PolicyName: root
237+
PolicyDocument:
238+
Version: "2012-10-17"
239+
Statement:
240+
- Effect: Allow
241+
Action:
242+
- "firehose:PutRecord"
243+
- "firehose:PutRecordBatch"
244+
Resource:
245+
- "arn:aws:firehose:*:{{.Cluster.InfrastructureAccountID}}:deliverystream/EKSCtrlPlaneDeliveryStream-{{.Cluster.Name}}"
246+
RoleName: "EKSCtrlPlaneCWtoFirehose-{{.Cluster.Name}}"
247+
{{- end }}
169248
{{- end }}
170249
EKSCluster:
171250
Type: AWS::EKS::Cluster

cluster/config-defaults.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1331,6 +1331,11 @@ eks_zalando_iam_aws_proxy_hpa_memory_target: "80"
13311331
eks_okta_identity_provider: "true"
13321332
eks_fis_support_enabled: "false"
13331333

1334+
eks_siem_logging: "false"
1335+
eks_siem_key: ""
1336+
eks_siem_endpoint: ""
1337+
eks_siem_bucket: ""
1338+
13341339
# prefix delegation can only be configured for ipv4. For ipv6 it can only be true.
13351340
aws_vpc_cni_prefix_delegation: "false"
13361341
# enable custom networking for the AWS VPC CNI. This assumes that a custom CIDR

test/e2e/apply/secret.yaml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,5 +23,8 @@ data:
2323
SKIPPER_OPA_BUCKET_ARN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwGZdCVDLsCdProfzvZU7UAwAAAAlzCBlAYJKoZIhvcNAQcGoIGGMIGDAgEAMH4GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMehOf7Uu444SWS6kbAgEQgFFPMaa0flwHLpxrkYjJMK4jXc0q4kX+KGrB5GFjKuUgOUPmQ+ME/aQduxwl2+xUilrKP50/NLXgMNHjeeHuZfoyiSgpGFBM4z8L0N6ggf2uE5U="
2424
SKIPPER_OPA_OBSERVABILITY_URL: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwHl773AuNEvIpzaM6ycpDNSAAAAqzCBqAYJKoZIhvcNAQcGoIGaMIGXAgEAMIGRBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDGld6jpQ38gOzVcn0gIBEIBkTHbv3adeEfRntVTUQyyQkIhUnc0QXKtmtJEdvBoRzWiJIBKQUQuM1VBV0re3HkO8HSY59nkwyHEncBMkHJoI9rC2LJuWU20oCjPw9lbweih+6Sxo+nqkDrQd+mHp+uA9Om3KqA=="
2525
SKIPPER_OPA_BUNDLES_URL: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwFnhaIRP4+3Y69xp1ycTI7qAAAAsTCBrgYJKoZIhvcNAQcGoIGgMIGdAgEAMIGXBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDF9gAl70l2g2kwfnJgIBEIBqP/DgIhIu5x5XNR1Ubqinz6r4ttQoHty8nXd6mxie2r6NxHskNOqkiSactUKhNIhboNlNsO4p4rKEkhglTeFZlEQvgEYNioWPw39xqICnUDPVr+Kp0Yrs/bzPLPV9wOlB917UiT7WJNybPg=="
26+
EKS_SIEM_KEY: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwF5sFpqE6ok9WBcEvCMM3JjAAAEQDCCBDwGCSqGSIb3DQEHBqCCBC0wggQpAgEAMIIEIgYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAz8LolXDRH09jIjmM0CARCAggPz3MQkuDBrEHnPjL7uRfR8uE3OLittRqTa67pPa2z6c4CawFsSdfKrTNjJYsxpFtAzv5Dfr0Nf2He3N0ynIvIZekrXdq+2BgIwkgI+p2D+KMQunFafwKXsTYtyVOy8Qb/0kRJhOlM770/3lT8YgAGtfGTaGEtc6xxRc7bsyodw4IuzdKPuQ4n0ZqsGxQezUaFJB/DW4vqnvOKqZAFrdPr//w4Si1nHn4CStlwOqJRQT8WliG5neFg/VqcwUfV5/El98n8YlBMvrpnwmvW5BQ1TRmydGNyyEMrJr+HNIdutnk6x62GWISMVaye2CW4TAqQY9gW49/FGOMLK86YOxb4ACabmUAxINEKooeGjpqQMBuYjb71aGU1cETpUAcv6prSyTASjur7btoiV6JLdXIU+yBHjCDuJpuIQxwNvdmIgX1TAkT1YZ6GvHogdu/1lv2PGDuKOaO8IWC2k4D8fspWA0yTP/nlsas067czYrdnYsf7c+87wOY5Q/1Yk1qAV6kateiibb+7wwTYpdnHCBoIG6o+VLx/RcIX+yNzYvCZ0fd58G8SPaxWXkLwesjkDR8kKWUB4pPWMLpugZutrNfDjkbsqFMVdG40N/T1LYKzt5x2ROv96QUrHNQ34uqyL77eO1MPRiZ3wLZbX/2VZf6H7qbBG0+0S7timbEBANMMsP3RxIqoMJPTVowkMcZkCm2WWYXGeONyD0vM4a4LSl4pq9iKVseJtdTVXR3u/51XSCj98dho13OKIyEMGvxeEezP1c6VPpMPtxsV8oEeTG86CQVkWetyI4vrLc+5TTrlr/oJsI4B1Fzb6CKkHe5kc8O3KEKGM9EOqAjHECyOtb6GARv+kbIlBuVSV2Olk4ML1tNbQMBz3Sizj71wcvAwxHvaO2FPcVw0rovYg1Gev7m3fC/LFwbJS8rwUzujSL2xxgIII4BKAZE3Jsggi82dkeRY1v2evyR70mkVeFvEZGRgS5ESEw1BcRhmTGo/FCxuVAsw4GNaZssB7PeQlgenO/2eDLbxG/LYw5odrfQ0STSduxlNzNWemIV3mc3uxV5+KJvVxlIEIM/oV4IelWz/qgd2q3Q5/om+U6M9V5utIx38Pi1IxZZN8tHNXTs4QxJwo0v8jh5cnh2XCid9cAMSAubOODizFTODJbw+ziytOkaLqKLnQ/fih24DgcsdBQgNLwVXDDSa1Ps3ud8Pm5E2QQgQ90cB8PyTxkpWnb0AXZbUhOpzmfjVrLYQxCe6hAdLJ/sEgJrCA9YLUyD70/mvjLvfm3l1QvzXhUu7dU76oY+ApF10rTQVkCD3RPLU+D8w1Crl/VwgAS+M4H04Z1rTInJPBJY2u"
27+
EKS_SIEM_BUCKET: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwEEmm11rHVhNi6M+ubLnTuUAAAAhzCBhAYJKoZIhvcNAQcGoHcwdQIBADBwBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDIgZskpf9Z0A14HZkgIBEIBD+s3K+UEcI5UzSfzl+5aQUvdoIqUppIgHWCcp+fcog85crXefTXCj27WvnRliczy5oA0Eaf6OcuMI4vR6pjHjAtyDMg=="
28+
EKS_SIEM_ENDPOINT: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwEuis70Cw333IRrRwd9b/CqAAAAoTCBngYJKoZIhvcNAQcGoIGQMIGNAgEAMIGHBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDDC8FXyMPkjxBOmThgIBEIBaX9aeXpWUdi1DZHajXN+KwiHtiUF5xDTqhJQlVXnlg3gngYzScKosr2JCHpKjOr6t5cudOlPahAx5Ytj0pp/MV5VbV3TvFNblCwLeUvdFmJqGLMEUcA7ezrUf"
2629
WIZ_API_CLIENT_ID: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwFn2cC9VUx9oEGR3PjfaODfAAAAljCBkwYJKoZIhvcNAQcGoIGFMIGCAgEAMH0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMDj9oNRK5BHCJJuwZAgEQgFC4GWzbjJjUwvzyISqJg9ehVrLApd8RyOYOJH47IEGYsoXvxG1r1sqP36yk+y0rO/F5XPU+p7ShwMmWsEUx3zWuJg94v72u5qvkzmKHVq15oA=="
27-
WIZ_API_CLIENT_TOKEN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwERI9ukj+5n0nNTOn6OQwBWAAAAojCBnwYJKoZIhvcNAQcGoIGRMIGOAgEAMIGIBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDP0Ca5G5Ey/GhZKbqgIBEIBbZQ7luhl1uB5kBEyAX7LevLbqVguwnSXZXWLR/morkrnMnylHHE1sVSedW94WpIF5qxh0eE/fsVJWErYcwhPqd3UvaPG9LSeXyBwo2RNLkYYdrnY4DmvxIvoLjw=="
30+
WIZ_API_CLIENT_TOKEN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwERI9ukj+5n0nNTOn6OQwBWAAAAojCBnwYJKoZIhvcNAQcGoIGRMIGOAgEAMIGIBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDP0Ca5G5Ey/GhZKbqgIBEIBbZQ7luhl1uB5kBEyAX7LevLbqVguwnSXZXWLR/morkrnMnylHHE1sVSedW94WpIF5qxh0eE/fsVJWErYcwhPqd3UvaPG9LSeXyBwo2RNLkYYdrnY4DmvxIvoLjw=="

test/e2e/cluster_config.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,10 @@ clusters:
5151
skipper_open_policy_agent_observability_url: "${SKIPPER_OPA_OBSERVABILITY_URL}"
5252
skipper_open_policy_agent_bundles_url: "${SKIPPER_OPA_BUNDLES_URL}"
5353
eks_ip_family: "ipv6"
54+
eks_siem_logging: "true"
55+
eks_siem_key: "${EKS_SIEM_KEY}"
56+
eks_siem_endpoint: "${EKS_SIEM_ENDPOINT}"
57+
eks_siem_bucket: "${EKS_SIEM_BUCKET}"
5458
consolidation_policy: "WhenEmpty"
5559
consolidate_after: "5m"
5660
wiz_api_client_id: "${WIZ_API_CLIENT_ID}"

0 commit comments

Comments
 (0)