AWS Certified Security – Specialty — Question 353

A company uses AWS Organizations and has Amazon Elastic Kubernetes Service (Amazon EKS) clusters in many AWS accounts. A security engineer integrates Amazon EKS with AWS CloudTrail. The CloudTrail trails are stored in an Amazon S3 bucket in each account to monitor API calls. The security engineer observes that CloudTrail logs are not displaying Kubernetes pod creation events.

What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?

Answer options

• A. Configure the EKS clusters to use private S3 VPC endpoints. Configure the S3 buckets for logging.
• B. Enable Kubernetes API server component logs for each cluster.
• C. Enable cross-origin resource sharing (CORS) in the S3 bucket that is used for logging.
• D. Configure CloudWatch. View the events in the CloudWatch console.

Correct answer: B

Explanation

To view internal Kubernetes events such as pod creation, you must explicitly enable Kubernetes API server control plane logs for each Amazon EKS cluster, which streams these logs directly to Amazon CloudWatch. AWS CloudTrail only records AWS-level API calls made to the EKS service, not the internal Kubernetes API operations. Configuring S3 VPC endpoints, CORS, or basic CloudWatch settings will not resolve the missing control plane log ingestion.