# Configuring EKS Runtime Monitoring for multiple-account environments (API)
<a name="eks-runtime-monitoring-configuration-multiple-accounts"></a>

In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable EKS Runtime Monitoring for the member accounts, and manage GuardDuty agent management for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using Amazon Organizations. For more information about multi-account environments, see [Managing multiple accounts](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty_accounts.html).

## Configuring EKS Runtime Monitoring for delegated GuardDuty administrator account
<a name="eks-protection-configure-delegated-admin"></a>

This section provides steps to configure EKS Runtime Monitoring and manage the GuardDuty security agent for the EKS clusters that belong to the delegated GuardDuty administrator account.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  | **Steps** | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  Run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateDetector.html) API by using your own regional detector ID and passing the `features` object name as `EKS_RUNTIME_MONITORING` and status as `ENABLED`.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Auto-enable EKS Runtime Monitoring for all member accounts
<a name="auto-enable-eksrunmon-existing-memberaccounts"></a>

This section includes steps to enable EKS Runtime Monitoring and manage security agent for all member accounts. This includes the delegated GuardDuty administrator account, existing member accounts, and the new accounts that join the organization.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  | **Steps** | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your member accounts, run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  You can also pass a list of account IDs separated by a space.  When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Configuring EKS Runtime Monitoring for all existing active member accounts
<a name="eks-protection-configure-active-members"></a>

This section includes the steps to enable EKS Runtime Monitoring and manage GuardDuty security agent for existing active member accounts in your organization.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  |  **Steps**  | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your member accounts, run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  You can also pass a list of account IDs separated by a space.  When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Auto-enable EKS Runtime Monitoring for new members
<a name="eks-protection-configure-auto-enable-new-members"></a>

The delegated GuardDuty administrator account can auto-enable EKS Runtime Monitoring and choose an approach for how to manage the GuardDuty security agent for new accounts that join your organization.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  |  **Steps**  | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your new accounts, invoke the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) API operation using your own *detector ID*. Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT` for a single account. You can also pass a list of account IDs separated by a space. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. <pre>aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] }]'</pre> When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Enable EKS Runtime Monitoring for individual active member accounts
<a name="eks-protection-configure-selectively-member-accounts"></a>

This section includes the steps to configure EKS Runtime Monitoring and manage security agent for individual active member accounts.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  |  **Steps**  | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your member accounts, run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  You can also pass a list of account IDs separated by a space.  When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  |