This Terraform module sets up an automated auditing bot for Amazon EKS (Elastic Kubernetes Service) clusters. The bot monitors CloudWatch Logs for EKS Audit Logs, detects manual actions performed with the kubectl CLI, and sends alerts to SNS subscribed operators.
terraform {
source = "git::https://github.com/seifrajhi/eks-auditing-bot-module.git"
}
inputs = {
eks_bot_name = "eks_audit_logs_bot"
timeout = 60
memory_limit = 256
aws_cloudwatch_log_group = "/aws/eks/cluster-name/cluster"
account_id = "XXXXXXXXXX"
account_name = "account-name"
sns_topic_arn = "arn:aws:sns:eu-west-1:XXXXXXXXXX:alerts"
filter_pattern = "{ ($.verb != \"get\" && $.verb != \"list\" && $.verb != \"watch\") && ($.user.username = \"sre/*\" || $.user.username = \"ssouser/*\" || $.user.username = \"kubernetes-admin\" ) && ((($.objectRef.namespace = \"kube-system\" || $.objectRef.namespace = \"consul\" || $.objectRef.namespace = \"vault\" || $.objectRef.namespace = \"consul\" || $.objectRef.namespace = \"istio-ingress\" || $.objectRef.namespace = \"ingress-system\" || $.objectRef.namespace = \"istio-system\" ) && ($.objectRef.resource = \"roles\" || $.objectRef.resource = \"secrets\" || $.objectRef.resource = \"serviceaccounts\" || $.objectRef.resource = \"role\" || $.objectRef.resource = \"rolebindings\")) || ($.objectRef.resource = \"clusterroles\" || $.objectRef.resource = \"clusterrolebindings\") ) }"
}eks_bot_name: The name for the EKS auditing bot.timeout: Execution timeout for the auditing bot (in seconds).memory_limit: Memory limit for the auditing bot (in MB).aws_cloudwatch_log_group: CloudWatch Log Group for EKS Audit Logs.account_id: AWS account ID.account_name: AWS account name.sns_topic_arn: ARN of the SNS topic for sending alerts.filter_pattern: CloudWatch Logs filter pattern for detecting manual actions.
If you encounter any issues or have suggestions for improvements, please feel free to open an issue or submit a pull request.
This project is licensed under the MIT License - see the LICENSE file for details.
| Name | Version |
|---|---|
| terraform | >= 0.15.4 |
| archive | 2.3.0 |
| aws | 4.52.0 |
| Name | Version |
|---|---|
| archive | 2.3.0 |
| aws | 4.52.0 |
| null | n/a |
| random | n/a |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.lambda-log-group | resource |
| aws_cloudwatch_log_subscription_filter.logging | resource |
| aws_iam_policy.eks_audit_logs_bot | resource |
| aws_iam_role.eks_audit_logs_bot | resource |
| aws_iam_role_policy_attachment.eks_audit_logs_bot | resource |
| aws_lambda_function.lambda-audit-logs | resource |
| aws_lambda_permission.allow_cloudwatch | resource |
| null_resource.install_dependencies | resource |
| random_uuid.lambda_src_hash | resource |
| archive_file.lambda_source | data source |
| aws_caller_identity.current | data source |
| aws_iam_account_alias.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | AWS account ID | string |
"" |
no |
| account_name | AWS account name | string |
"" |
no |
| aws_cloudwatch_log_group | cloudwatch audit logs groups of EKS cluster | string |
"" |
no |
| eks_bot_name | n/a | string |
"eks_audit_bot" |
no |
| filter_pattern | cloudwatch logs filter pattern | string |
"" |
no |
| lambda_root | The relative path to the source of the lambda | string |
"./function" |
no |
| memory_limit | memory limit of the lambda | number |
256 |
no |
| sns_topic_arn | SNS topic | string |
"" |
no |
| timeout | Timeout of the lambda | number |
60 |
no |
No outputs.