AWS EKS Control Plane Logging Disabled

Last updated 13 days ago on 2026-05-07

Created 13 days ago on 2026-05-07

About

Detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging. Disabling EKS API server and control plane logs can reduce visibility into cluster activity and may indicate defense evasion following compromised AWS credentials or unauthorized administrative access. EKS control plane logging changes are typically rare and should align with approved maintenance or cost optimization workflows.

Tags

Domain: CloudDomain: KubernetesData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: Defense EvasionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Legitimate changes to EKS logging configuration during cluster provisioning, troubleshooting, or cost optimization may match. Validate the caller identity and change records, and baseline expected automation roles.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:"aws.cloudtrail" and
event.provider:"eks.amazonaws.com" and
event.action:"UpdateClusterConfig" and
event.outcome:"success" and
aws.cloudtrail.request_parameters:*logging*enabled=false*

Install detection rules in Elastic Security

Detect AWS EKS Control Plane Logging Disabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).