legitimate changes to eks logging configuration during cluster provisioning, troubleshooting, or cost optimization may match. validate the caller identity and change records, and baseline expected automation roles.

T1562
aws
elastic

Techniques

T1562

Sample rules

AWS EKS Control Plane Logging Disabled

source: elastic
technicques:
- T1562

Description

Detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging. Disabling EKS API server and control plane logs can reduce visibility into cluster activity and may indicate defense evasion following compromised AWS credentials or unauthorized administrative access. EKS control plane logging changes are typically rare and should align with approved maintenance or cost optimization workflows.

Detection logic

data_stream.dataset:"aws.cloudtrail" and
event.provider:"eks.amazonaws.com" and
event.action:"UpdateClusterConfig" and
event.outcome:"success" and
aws.cloudtrail.request_parameters:*logging*enabled=false*