Turning on Runtime Monitoring for Amazon ECS - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Turning on Runtime Monitoring for Amazon ECS

You can turn on Runtime Monitoring for clusters with EC2 instances, or when you need granular control of Runtime Monitoring at the cluster-level on Fargate.

The following are prerequisites for using Runtime Monitoring:

  • The Fargate platform version must be 1.4.0 or later for Linux.

  • IAM roles and permissions for Amazon ECS:

    • Fargate tasks must use a task execution role. This role grants the tasks permission to retrieve, update, and manage the GuardDuty security agent on your behalf. For more information see Amazon ECS task execution IAM role.

    • You control Runtime Monitoring for a cluster with a pre-defined tag. If your access policies restrict access based on tags, you must grant explicit permissions to your IAM users to tag clusters. For more information, see IAM tutorial: Define permissions to access Amazon resources based on tags in the IAM User Guide.

  • Connecting to the Amazon ECR repository:

    The GuardDuty security agent is stored in an Amazon ECR repository. Each standalone and service task must have access to the repository. You can use one of the following options:

    • For tasks in public subnets, you can either use a public IP address for the task, or create a VPC endpoint for Amazon ECR in the subnet where the task runs. For more information, see Amazon ECR interface VPC endpoints (Amazon PrivateLink) in the Amazon Elastic Container Registry User Guide.

    • For tasks in private subnets, you can use a Network Address Translation (NAT) gateway, or create a VPC endpoint for Amazon ECR in the subnet where the task runs.

      For more information, see Using a private subnet and NAT gateway.

  • You must have the AWSServiceRoleForAmazonGuardDuty role for GuardDuty. For more information, see Service-linked role permissions for GuardDuty in the Amazon GuardDuty User Guide.

  • Any files that you want to protect with Runtime Monitoring must be accessible by the root user. If you manually changed the permissions of a file, you must set it to 755.

The following are prerequisites for using Runtime Monitoring on EC2 container instances:

You turn on Runtime Monitoring in GuardDuty. For information about how to enable the feature, see Enabling Runtime Monitoring in the Amazon GuardDuty User Guide.