Amazon EKS Control Plane Logs
Location
CloudWatch Logs group /aws/eks/<cluster>/cluster for api, controllerManager, and scheduler log typesDescription
Amazon EKS control-plane logs forwarded to CloudWatch Logs when enabled. Includes API server, controller manager, and scheduler logs that show cluster administration, controller activity, scheduling decisions, and service interactions.
Forensic Value
EKS control-plane logs reveal cluster-level abuse that host forensics alone cannot show. They identify cluster configuration changes, suspicious API usage, service-account behavior, workload scheduling on unexpected nodes, and attempts to disable or modify logging. They are also critical for understanding whether malicious workloads were introduced through cluster administration instead of direct node compromise.
Tools Required
Collection Commands
AWS CLI
aws eks describe-cluster --name <cluster-name> --query "cluster.logging" > eks_logging_config.json
AWS CLI
aws logs filter-log-events --log-group-name "/aws/eks/<cluster-name>/cluster" --start-time 1709251200000 --end-time 1709856000000 > eks_control_plane_logs.json
CloudWatch Logs Insights
fields @timestamp, @logStream, @message | filter @logStream like /api|controllerManager|scheduler/ | sort @timestamp desc | limit 200
Collection Constraints
- •Historical control-plane visibility exists only if the relevant EKS log types were enabled before the incident.
- •Large clusters can generate substantial CloudWatch data volumes, so investigators need the exact cluster and region scope early.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.