What should the security engineer do to view the Kubernetes events from Amazon CloudWatch?
Configure the EKS clusters to use private S3 VPC endpoints. Configure the S3 buckets for logging.
Enable Kubernetes API server component logs for each cluster.
Enable cross-origin resource sharing (CORS) in the S3 bucket that is used for logging.
Configure CloudWatch. View the events in the CloudWatch console.
Explanations:
Configuring EKS clusters to use private S3 VPC endpoints and enabling logging in S3 does not affect the logging of Kubernetes events to CloudTrail. CloudTrail primarily logs AWS API calls, and Kubernetes events are not captured by CloudTrail.
Enabling Kubernetes API server component logs allows the collection of logs that include events such as pod creation. These logs can then be forwarded to CloudWatch, providing visibility into Kubernetes operations, including pod lifecycle events.
Enabling cross-origin resource sharing (CORS) in the S3 bucket used for logging does not relate to capturing Kubernetes events or API calls. CORS is primarily a browser security feature and does not impact logging behavior for Kubernetes events.
While configuring CloudWatch is necessary to view logs, simply configuring it without enabling the appropriate logging (like the Kubernetes API server component logs) will not result in Kubernetes events being displayed. The logs must first be generated before they can be viewed in CloudWatch.
I map out that the answer is:
Enable Kubernetes API server component logs for each cluster.