{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:List*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"cloudwatch:Describe*"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*"
}
]
}
Edit arn:aws:iam::12345678910:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/1847B92748AB2A2XYZ
and oidc.eks.eu-west-1.amazonaws.com/id/1847B92748AB2A2XYZ:sub
called it ekscloudwatch-eks-cw-role
in this example for serviceaccount in falco namespace
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::12345678910:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/1847B92748AB2A2XYZ"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.eu-west-1.amazonaws.com/id/1847B92748AB2A2XYZ:sub": "system:serviceaccount:falco:ekscloudwatch"
}
}
}
]
}
Edit role-arn and cluster_name and region
Edit namespace if you are using different namespace than falco
Edit endpoint: "http://falco-k8saudit-webhook:9765/k8s-audit"
if you installed falco with different name than falco
apiVersion: v1
kind: ServiceAccount
metadata:
name: ekscloudwatch
namespace: falco
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::12345678910:role/ekscloudwatch-eks-cw-role"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ekscloudwatch-config
namespace: falco
data:
# Required: Endpoint to forward audit events to, such as Sysdig Secure agent
# The agent must expose a k8s audit server (k8s_audit_server_port must be configured in the agent as well)
# Assumed that falco helm name is falco. If you use different name, change falco with your helm name in the endpoint value.
endpoint: "http://falco-k8saudit-webhook:9765/k8s-audit"
# Required: Cloudwatch polling interval
cw_polling: "5m"
# Required: CloudWatch query filter
cw_filter: '{ $.sourceIPs[0] != "::1" && $.sourceIPs[0] != "127.0.0.1" }'
# Optional: the EKS cluster name
# This can be omitted if the EC2 instance can perform the ec2:DescribeInstances action
cluster_name: "my-eks-cluster"
aws_region: "eu-west-1" #please change this with your region
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: eks-cloudwatch
namespace: falco
spec:
minReadySeconds: 5
replicas: 1
selector:
matchLabels:
app: eks-cloudwatch
template:
metadata:
labels:
app: eks-cloudwatch
spec:
serviceAccountName: ekscloudwatch
securityContext:
fsGroup: 65534 # to be able to read Kubernetes and AWS token files
containers:
- image: sysdiglabs/k8sauditlogforwarder:ekscloudwatch-0.3
imagePullPolicy: Always
name: eks-cloudwatch-container
env:
- name: ENDPOINT
valueFrom:
configMapKeyRef:
name: ekscloudwatch-config
key: endpoint
- name: CLUSTER_NAME
valueFrom:
configMapKeyRef:
name: ekscloudwatch-config
key: cluster_name
- name: AWS_REGION
valueFrom:
configMapKeyRef:
name: ekscloudwatch-config
key: aws_region
- name: CW_POLLING
valueFrom:
configMapKeyRef:
name: ekscloudwatch-config
key: cw_polling
- name: CW_FILTER
valueFrom:
configMapKeyRef:
name: ekscloudwatch-config
key: cw_filter