Amazon EKS Container Insights Telemetry

Cloud & SaaSExecution EvidenceAWSAmazon EKSKubernetesCloud Control PlaneSIEM / Log Aggregator

Location

CloudWatch Container Insights log groups /aws/containerinsights/<cluster>/performance and application logs

Description

Container Insights telemetry for EKS clusters, including pod inventory, node metrics, container stdout/stderr collection, and cluster performance data routed through CloudWatch.

Forensic Value

Container Insights complements audit and authenticator logs by showing what workloads actually ran after they were scheduled. It exposes suspicious images, noisy or short-lived pods, restart storms caused by attacker activity, and runtime log output that can contain exploitation traces, tooling errors, or exfiltration indicators.

Tools Required

AWS ConsoleAWS CLICloudWatch Logs Insightskubectl

Collection Commands

AWS CLI

aws logs describe-log-groups --log-group-name-prefix "/aws/containerinsights/<cluster-name>" > eks_container_insights_log_groups.json

AWS CLI

aws logs filter-log-events --log-group-name "/aws/containerinsights/<cluster-name>/performance" --start-time 1709251200000 --end-time 1709856000000 > eks_container_insights_performance.json

kubectl

kubectl get pods --all-namespaces -o wide > eks_pod_inventory.txt

Collection Constraints

•Container Insights is available only if it was deployed and retained before the incident window.
•Runtime telemetry can be high-volume and short-lived, especially for ephemeral or auto-scaled workloads.

MITRE ATT&CK Techniques

T1610T1611T1525T1059

References

Deploy Container Insights on Amazon EKS

Acquisition Methods

Amazon EKS Container Insights Export

linux — cloud

Kubernetes Resource Inventory Export

linux — container