Add initial configuration for EKS Control Plane logging SIEM integration

Author: zaklawrencea

cluster/cluster.yaml

@@ -166,6 +166,85 @@ Resources:
     Properties:
       LogGroupName: "/aws/eks/{{.Cluster.Name}}/cluster"
       RetentionInDays: 545
+{{- if eq .Cluster.ConfigItems.eks_siem_logging "true" }}
+  EKSControlPlaneSubscriptionFilter:
+    Type: AWS::Logs::SubscriptionFilter
+    Properties:
+      LogGroupName: !Ref ControlPlaneLogGroup
+      RoleArn: !GetAtt EKSControlPlaneCWtoFirehoseRole.Arn
+      FilterName: "EKSCtrlPlaneLogs-{{.Cluster.Name}}"
+      FilterPattern: ""
+      DestinationArn: !GetAtt EKSControlPlaneLogsDataFirehose.Arn
+  EKSControlPlaneLogsDataFirehose:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamName: "EKSCtrlPlaneDeliveryStream-{{.Cluster.Name}}"
+      DeliveryStreamType: DirectPut
+      HttpEndpointDestinationConfiguration:
+        EndpointConfiguration:
+          AccessKey: "{{.Cluster.ConfigItems.eks_siem_key}}"
+          Url: "{{.Cluster.ConfigItems.eks_siem_endpoint}}"
+        RetryOptions:
+          DurationInSeconds: 300
+        S3Configuration:
+          BucketARN: "{{.Cluster.ConfigItems.eks_siem_bucket}}"
+          S3BackupMode: "FailedDataOnly"
+          RoleARN: !GetAtt EKSControlPlaneFirehoseS3Role.Arn
+  EKSControlPlaneFirehoseS3Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - firehose.amazonaws.com
+            Action:
+              - 'sts:AssumeRole'
+      Path: /
+      Policies:
+        - PolicyName: root
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 's3:PutObject'
+                  - 's3:GetObject'
+                  - 's3:ListBucketMultipartUploads'
+                  - 's3:AbortMultipartUpload'
+                  - 's3:ListBucket'
+                  - 's3:GetBucketLocation'
+                Resource:
+                  - "{{.Cluster.ConfigItems.eks_siem_bucket}}"
+      RoleName: "EKSCtrlPlaneFirehosetoS3-{{.Cluster.Name}}"
+  EKSControlPlaneCWtoFirehoseRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - "logs.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+      Path: /
+      Policies:
+        - PolicyName: root
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "firehose:PutRecord"
+                  - "firehose:PutRecordBatch"
+                Resource:
+                  - "arn:aws:firehose:*:{{.Cluster.InfrastructureAccountID}}:deliverystream/EKSCtrlPlaneDeliveryStream-{{.Cluster.Name}}"
+      RoleName: "EKSCtrlPlaneCWtoFirehose-{{.Cluster.Name}}"
+{{- end }}
 {{- end }}
   EKSCluster:
     Type: AWS::EKS::Cluster

cluster/config-defaults.yaml

@@ -1315,6 +1315,11 @@ eks_zalando_iam_aws_proxy_hpa_memory_target: "80"
 eks_okta_identity_provider: "true"
 eks_fis_support_enabled: "false"
 
+eks_siem_logging: "false"
+eks_siem_key: ""
+eks_siem_endpoint: ""
+eks_siem_bucket: ""
+
 # prefix delegation can only be configured for ipv4. For ipv6 it can only be true.
 aws_vpc_cni_prefix_delegation: "false"
 # enable custom networking for the AWS VPC CNI. This assumes that a custom CIDR

test/e2e/apply/secret.yaml

@@ -23,5 +23,8 @@ data:
   SKIPPER_OPA_BUCKET_ARN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwGZdCVDLsCdProfzvZU7UAwAAAAlzCBlAYJKoZIhvcNAQcGoIGGMIGDAgEAMH4GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMehOf7Uu444SWS6kbAgEQgFFPMaa0flwHLpxrkYjJMK4jXc0q4kX+KGrB5GFjKuUgOUPmQ+ME/aQduxwl2+xUilrKP50/NLXgMNHjeeHuZfoyiSgpGFBM4z8L0N6ggf2uE5U="
   SKIPPER_OPA_OBSERVABILITY_URL: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwHl773AuNEvIpzaM6ycpDNSAAAAqzCBqAYJKoZIhvcNAQcGoIGaMIGXAgEAMIGRBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDGld6jpQ38gOzVcn0gIBEIBkTHbv3adeEfRntVTUQyyQkIhUnc0QXKtmtJEdvBoRzWiJIBKQUQuM1VBV0re3HkO8HSY59nkwyHEncBMkHJoI9rC2LJuWU20oCjPw9lbweih+6Sxo+nqkDrQd+mHp+uA9Om3KqA=="
   SKIPPER_OPA_BUNDLES_URL: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwFnhaIRP4+3Y69xp1ycTI7qAAAAsTCBrgYJKoZIhvcNAQcGoIGgMIGdAgEAMIGXBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDF9gAl70l2g2kwfnJgIBEIBqP/DgIhIu5x5XNR1Ubqinz6r4ttQoHty8nXd6mxie2r6NxHskNOqkiSactUKhNIhboNlNsO4p4rKEkhglTeFZlEQvgEYNioWPw39xqICnUDPVr+Kp0Yrs/bzPLPV9wOlB917UiT7WJNybPg=="
+  EKS_SIEM_KEY: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwFYci9dK1b1QazzPg4sibiOAAAEQDCCBDwGCSqGSIb3DQEHBqCCBC0wggQpAgEAMIIEIgYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzAnqmzsG8lwdycfqcCARCAggPzwGIgjWJiNYrj2E1h45tB3BpQz2tUGUtFRSctFavYu05+SrAcHm4w0rIxTaJDPNnnWQu3SU/QH1WlfeX52JwfsANqTBFFAQseeCJ6z7xfmSBHIS9AxS4ixxv7OCUaONR/2V3AYhCaAklo7ZpQO+ZdCYJHCQTkWd5TIe7RsWJyAK/hnHRY/L4wErdw2sKKP3/ha8SShITQFSmoJGuo+bLyaqstFYQeOH2bvwgokqAL/15yROVBrYGoCBZl4jr5bu3IPeEhfPyJs98GyzKjJoh6Ewj22zB1PSDaSuXNmR6n1Fu/fXkXLjbk/wXZ6d8eT5RkWTaC/P0WrxFr2FsBPy6lHFvrtFLyhyWIntVUhfCzNVcBU3PTdsGKDtOEkLIds5jY2sGjHPHhhZdWOHM/zrGz7pyFJnDdE1G9ZPIHCOpFy9pNWt/MRpDsL7WD/ViAOgPBK6/1agZBJHxpxyBNTa4yIcPgoTDQnVU2/5WrQceDzN+IOj3Os5kEu1bG8FEx4I2YfiXpnNDsgDzOf13Vlh5s/CduMxkv0VnkaeGsvTg83P0BEhq9d7lsHUpk4cFsIN6c+dJjVPA6G7ZwxqGJikXpD3AW/DszoAst3vDbKt1/HzvtBpz94jT8KG41fgaIDqgZ9jLBXeQHi5Hx/WoddSYNEgNin0lmL+56/vMPuvKlvCqhre821PQUMKZZsZdv4GUSQ1HjgtKn8hLknR/rRerFEyqVZJjjD/Gb7Eti/fDdAPXAB2KV1AwEE7QXrAnvHtvCgpJopM9NQC+hoHG1BiWPiKzZAA2C7TsrpG02usK/Vxijof7XoAH+5nSSS1NDjfp11i1EIS2IRLrNuFJJVqBSmRNmyM2ePqwltw4NEydZ4BaTZJQ3FNx7IQDCvhKiawv4wqefF97Z9ikZAue1d/ltkwdC1CxjO2VwP5+lBOBe1N8QqqlVhncK0sKUfze6mffDy4TUuwad2AMdPDScd0lr1abzHhVzVat9O4Pnhz+kTXXtUpl1WmO7eAWBJhMznONn0XRWn2F/rz7CsDOhXATwT6WAEHVSIS3pmumqqgE0/ikAASeg7MVz17EYEOeq6w6if1csf+vFeXzs3gsHr7EN7KL9Ui2/G0zSdd6D1xZOjcaKzo5hbWv0HVJoPkh3j1FMpqREGTPZe9o5vLRR7k+QISgn5E0rz4Uk6Z8vUdf9AliUItSUOmyH2l3sooWL1IqTjSEuIg93OspOMRJeVMVoXzEXxe9ls6LZe6RM7QJs2VAn6fsNZmK3EsADybOzYY3+SoSQWz61miCoIwasS4abSja40MSzJAV5ucqzbjCccU3PEsfp+MTshL/xV41xbN/uhX1w"
+  EKS_SIEM_BUCKET: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwGrZG5QNt3zWyTXcwhkiK6xAAAAiDCBhQYJKoZIhvcNAQcGoHgwdgIBADBxBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDG9jVZvGtAJKBYKIogIBEIBErzfEitn+gydG3UPerjqR39ifrLHHN7tx43BL2CMlVKcu+Y4U1BIpfkX6nmSjxkL9ZvmG+v6tlQWX1MhyJK/rjuBsKWo="
+  EKS_SIEM_ENDPOINT: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwHba0aXFCQJAw2apCXqcLB5AAAAojCBnwYJKoZIhvcNAQcGoIGRMIGOAgEAMIGIBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDNryLqX8VGCpVGvYOwIBEIBb1+BD5Kojfvw18eiJC5puZ1JuZ74c0PCLG0zwh7pJvSXTzToSbmBWzgE9nynT906kCIAGpTW3dhktigqP/PJE3lXraXnzE3AcwO4/3PkYLGZnV6waIF5aOFnJHw=="
   WIZ_API_CLIENT_ID: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwFn2cC9VUx9oEGR3PjfaODfAAAAljCBkwYJKoZIhvcNAQcGoIGFMIGCAgEAMH0GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMDj9oNRK5BHCJJuwZAgEQgFC4GWzbjJjUwvzyISqJg9ehVrLApd8RyOYOJH47IEGYsoXvxG1r1sqP36yk+y0rO/F5XPU+p7ShwMmWsEUx3zWuJg94v72u5qvkzmKHVq15oA=="
-  WIZ_API_CLIENT_TOKEN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwERI9ukj+5n0nNTOn6OQwBWAAAAojCBnwYJKoZIhvcNAQcGoIGRMIGOAgEAMIGIBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDP0Ca5G5Ey/GhZKbqgIBEIBbZQ7luhl1uB5kBEyAX7LevLbqVguwnSXZXWLR/morkrnMnylHHE1sVSedW94WpIF5qxh0eE/fsVJWErYcwhPqd3UvaPG9LSeXyBwo2RNLkYYdrnY4DmvxIvoLjw=="
+  WIZ_API_CLIENT_TOKEN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwERI9ukj+5n0nNTOn6OQwBWAAAAojCBnwYJKoZIhvcNAQcGoIGRMIGOAgEAMIGIBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDP0Ca5G5Ey/GhZKbqgIBEIBbZQ7luhl1uB5kBEyAX7LevLbqVguwnSXZXWLR/morkrnMnylHHE1sVSedW94WpIF5qxh0eE/fsVJWErYcwhPqd3UvaPG9LSeXyBwo2RNLkYYdrnY4DmvxIvoLjw=="

test/e2e/cluster_config.sh

@@ -51,6 +51,10 @@ clusters:
     skipper_open_policy_agent_observability_url: "${SKIPPER_OPA_OBSERVABILITY_URL}"
     skipper_open_policy_agent_bundles_url: "${SKIPPER_OPA_BUNDLES_URL}"
     eks_ip_family: "ipv6"
+    eks_siem_logging: "true"
+    eks_siem_key: "${EKS_SIEM_KEY}"
+    eks_siem_endpoint: "${EKS_SIEM_ENDPOINT}"
+    eks_siem_bucket: "${EKS_SIEM_BUCKET}"
     consolidation_policy: "WhenEmpty"
     consolidate_after: "5m"
     wiz_api_client_id: "${WIZ_API_CLIENT_ID}"