AWS EKS Control Plane Logging Disabled

  1[metadata]
  2creation_date = "2026/05/07"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/05/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging. Disabling EKS API server
 11and control plane logs can reduce visibility into cluster activity and may indicate defense evasion following
 12compromised AWS credentials or unauthorized administrative access. EKS control plane logging changes are typically rare
 13and should align with approved maintenance or cost optimization workflows.
 14"""
 15false_positives = [
 16    """
 17    Legitimate changes to EKS logging configuration during cluster provisioning, troubleshooting, or cost optimization
 18    may match. Validate the caller identity and change records, and baseline expected automation roles.
 19    """,
 20]
 21from = "now-6m"
 22index = ["logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS EKS Control Plane Logging Disabled"
 26note = """## Triage and analysis
 27
 28### Investigating AWS EKS Control Plane Logging Disabled
 29
 30Review the caller (user.name, aws.cloudtrail.user_identity.arn, type), source.ip, user_agent.original, cloud.account.id, and cloud.region. Confirm which log types were disabled and whether the change aligns with a planned change window.
 31
 32### Possible investigation steps
 33
 34- Inspect aws.cloudtrail.request_parameters and response elements for cluster name and logging settings.
 35- Correlate with adjacent EKS and IAM activity from the same principal (access entry changes, iam policy attachments, sts assume events) and with any Kubernetes audit telemetry available.
 36- Check whether control plane logs stopped ingesting shortly after the change and scope potential visibility gaps.
 37
 38### Response and remediation
 39
 40- If unauthorized, re-enable EKS control plane logging and restrict IAM permissions that allow eks:UpdateClusterConfig.
 41- Rotate or revoke compromised credentials and review for additional EKS or IAM persistence changes.
 42"""
 43references = [
 44    "https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html",
 45    "https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateClusterConfig.html",
 46]
 47risk_score = 47
 48rule_id = "0f189343-dac7-4c1b-aca7-be8baa6bd02b"
 49severity = "medium"
 50tags = [
 51    "Domain: Cloud",
 52    "Domain: Kubernetes",
 53    "Data Source: AWS",
 54    "Data Source: Amazon Web Services",
 55    "Data Source: AWS CloudTrail",
 56    "Use Case: Threat Detection",
 57    "Tactic: Defense Evasion",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "query"
 62query = '''
 63data_stream.dataset:"aws.cloudtrail" and
 64event.provider:"eks.amazonaws.com" and
 65event.action:"UpdateClusterConfig" and
 66event.outcome:"success" and
 67aws.cloudtrail.request_parameters:*logging*enabled=false*
 68'''
 69
 70[rule.investigation_fields]
 71field_names = [
 72    "@timestamp",
 73    "user.name",
 74    "user_agent.original",
 75    "source.ip",
 76    "aws.cloudtrail.user_identity.arn",
 77    "aws.cloudtrail.user_identity.type",
 78    "event.action",
 79    "event.outcome",
 80    "cloud.account.id",
 81    "cloud.region",
 82    "aws.cloudtrail.request_parameters",
 83    "aws.cloudtrail.response_elements",
 84]
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88
 89[[rule.threat.technique]]
 90id = "T1562"
 91name = "Impair Defenses"
 92reference = "https://attack.mitre.org/techniques/T1562/"
 93
 94[[rule.threat.technique.subtechnique]]
 95id = "T1562.008"
 96name = "Disable or Modify Cloud Logs"
 97reference = "https://attack.mitre.org/techniques/T1562/008/"
 98
 99[rule.threat.tactic]
100id = "TA0005"
101name = "Defense Evasion"
102reference = "https://attack.mitre.org/tactics/TA0005/"