Adding Runtime Monitoring an Amazon ECS cluster - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding Runtime Monitoring an Amazon ECS cluster

Configure Runtime Monitoring for the cluster, and then install the GuardDuty security agent on your EC2 container instances.

Prerequisites

  1. Turn on Runtime Monitoring. For more information, see Turning on Runtime Monitoring for Amazon ECS.

  2. You control Runtime Monitoring for a cluster with a pre-defined tag. If your access policies restrict access based on tags, you must grant explicit permissions to your IAM users to tag clusters. For more information, see IAM tutorial: Define permissions to access Amazon resources based on tags in the IAM User Guide.

Procedure

Perform the following operations to add Runtime Monitoring to a cluster.

  1. Create a VPC endpoint for GuardDuty for each cluster VPC. For more information, see Creating Amazon VPC endpoint manually in the GuardDuty User Guide.

  2. Configure the EC2 container instances.

    1. Update the Amazon ECS agent to version 1.77 or later on the EC2 container instances in the cluster. For more information see Updating the Amazon ECS container agent.

    2. Install the GuardDuty security agent on the EC2 container instances in the cluster. For more information, see Managing the security agent on an Amazon EC2 instance manually in the GuardDuty User Guide.

      All new and existing tasks, and deployments are immediately protected because the GuardDuty security agent runs as a process on the EC2 container instance.

  3. Use the Amazon ECS console or Amazon CLI to set the GuardDutyManaged tag key on the cluster to true. For more information, see Updating a cluster or Working with tags using the CLI or API. Use the following values for the tag.

    Note

    The Key and Value are case sensitive and must exactly match the strings.

    Key = GuardDutyManaged, Value = true