Kubernetes API Server Audit Log

Cloud & SaaSCloud InfrastructureKubernetesAmazon EKSGoogle Kubernetes EngineAzure Kubernetes ServiceCloud Control PlaneSIEM / Log Aggregator

Location

Kubernetes API server audit log (--audit-log-path) or managed-cluster equivalent (AKS diagnostic settings, EKS control-plane logging, GKE Cloud Logging)

Description

Records every request made to the Kubernetes API server including the subject (user or service account), verb (get/create/update/delete), resource, namespace, source IP, user agent, and authorization decision. The primary control-plane evidence source for any K8s incident.

Forensic Value

The K8s API audit log reconstructs the attacker's control-plane activity: what objects were created or modified, which service accounts were used, what images were deployed, which secrets were accessed. On managed clusters, enabling and forwarding control-plane logs is a prerequisite to meaningful investigation.

Tools Required

kubectlcloud provider logging (CloudWatch, Cloud Logging, Azure Monitor)SIEM

Collection Commands

AWS CLI (EKS)

aws logs filter-log-events --log-group-name /aws/eks/<cluster>/cluster --start-time $(date -d "-7 days" +%s)000 > eks_control_plane.json

gcloud (GKE)

gcloud logging read 'resource.type="k8s_cluster" AND protoPayload.methodName!=""' --freshness=7d --format=json > gke_audit.json

Azure CLI (AKS)

az monitor diagnostic-settings list --resource <aks-resource-id>; then query the Log Analytics workspace for AzureDiagnostics | where Category == "kube-audit"

Collection Constraints

  • Managed-cluster audit logging is often disabled by default; historical coverage may be limited or absent
  • Audit policy controls which events are logged; a policy tuned for low volume may have dropped the events of interest

MITRE ATT&CK Techniques

T1609T1613T1552.007

References

Kubernetes auditing