AWS Certified Security – Specialty (SCS-C02) — Question 137

A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts. A security engineer integrates Amazon EKS with AWS CloudTrail. The CloudTrail trails are stored in an Amazon S3 bucket in each account to monitor API calls. The security engineer observes that CloudTrail logs are not displaying Kubernetes pod creation events.

What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?

Answer options

• A. Configure the EKS clusters to use private S3 VPC endpoints. Configure the S3 buckets for logging.
• B. Enable Kubernetes API server component logs for each cluster.
• C. Enable cross-origin resource sharing (CORS) in the S3 bucket that is used for logging.
• D. Configure CloudWatch. View the events in the CloudWatch console.

Correct answer: B

Explanation

The correct answer is B because enabling Kubernetes API server component logs will allow the capture of Kubernetes events, including pod creation. Options A and C are unrelated to the issue of capturing Kubernetes events, focusing instead on S3 configurations. Option D mentions configuring CloudWatch, but without the necessary logs enabled, it will not show the relevant Kubernetes events.