# EKS Runtime Monitoring in GuardDuty
<a name="eks-runtime-monitoring-guardduty"></a>

EKS Runtime Monitoring provides runtime threat detection coverage for Amazon Elastic Kubernetes Service (Amazon EKS) nodes and containers within your Amazon environment. EKS Runtime Monitoring uses a GuardDuty security agent that adds runtime visibility into individual EKS workloads, for example, file access, process execution, and network connections. The GuardDuty security agent helps GuardDuty identify specific containers within your EKS clusters that are potentially compromised. It can also detect attempts to escalate privileges from an individual container to the underlying EC2 host, and the broader Amazon environment.

With the availability of Runtime Monitoring, GuardDuty has consolidated the console experience for EKS Runtime Monitoring into Runtime Monitoring. GuardDuty will not migrate your EKS Runtime Monitoring settings on your behalf automatically. This requires an action at your end. If you want to continue using only EKS Runtime Monitoring, you can use the APIs or Amazon CLI to check and update the existing configuration status for EKS Runtime Monitoring. However, GuardDuty recommends [Migrating from EKS Runtime Monitoring to Runtime Monitoring](migrating-from-eksrunmon-to-runtime-monitoring.md) and using Runtime Monitoring to monitor your Amazon EKS clusters.

**Topics**
+ [Configuring EKS Runtime Monitoring for multiple-account environments (API)](eks-runtime-monitoring-configuration-multiple-accounts.md)
+ [Configuring EKS Runtime Monitoring for a standalone account (API)](eks-runtime-monitoring-configuration-standalone-acc.md)
+ [Migrating from EKS Runtime Monitoring to Runtime Monitoring](migrating-from-eksrunmon-to-runtime-monitoring.md)

# Configuring EKS Runtime Monitoring for multiple-account environments (API)
<a name="eks-runtime-monitoring-configuration-multiple-accounts"></a>

In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable EKS Runtime Monitoring for the member accounts, and manage GuardDuty agent management for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using Amazon Organizations. For more information about multi-account environments, see [Managing multiple accounts](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty_accounts.html).

## Configuring EKS Runtime Monitoring for delegated GuardDuty administrator account
<a name="eks-protection-configure-delegated-admin"></a>

This section provides steps to configure EKS Runtime Monitoring and manage the GuardDuty security agent for the EKS clusters that belong to the delegated GuardDuty administrator account.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  | **Steps** | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  Run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateDetector.html) API by using your own regional detector ID and passing the `features` object name as `EKS_RUNTIME_MONITORING` and status as `ENABLED`.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Auto-enable EKS Runtime Monitoring for all member accounts
<a name="auto-enable-eksrunmon-existing-memberaccounts"></a>

This section includes steps to enable EKS Runtime Monitoring and manage security agent for all member accounts. This includes the delegated GuardDuty administrator account, existing member accounts, and the new accounts that join the organization.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  | **Steps** | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your member accounts, run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  You can also pass a list of account IDs separated by a space.  When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Configuring EKS Runtime Monitoring for all existing active member accounts
<a name="eks-protection-configure-active-members"></a>

This section includes the steps to enable EKS Runtime Monitoring and manage GuardDuty security agent for existing active member accounts in your organization.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  |  **Steps**  | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your member accounts, run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  You can also pass a list of account IDs separated by a space.  When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Auto-enable EKS Runtime Monitoring for new members
<a name="eks-protection-configure-auto-enable-new-members"></a>

The delegated GuardDuty administrator account can auto-enable EKS Runtime Monitoring and choose an approach for how to manage the GuardDuty security agent for new accounts that join your organization.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  |  **Steps**  | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your new accounts, invoke the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) API operation using your own *detector ID*. Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT` for a single account. You can also pass a list of account IDs separated by a space. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. <pre>aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] }]'</pre> When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

## Enable EKS Runtime Monitoring for individual active member accounts
<a name="eks-protection-configure-selectively-member-accounts"></a>

This section includes the steps to configure EKS Runtime Monitoring and manage security agent for individual active member accounts.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  |  **Steps**  | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  To selectively enable EKS Runtime Monitoring for your member accounts, run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*.  Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the Amazon CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: <pre>aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'</pre>  You can also pass a list of account IDs separated by a space.  When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-multiple-accounts.html)  | 

# Configuring EKS Runtime Monitoring for a standalone account (API)
<a name="eks-runtime-monitoring-configuration-standalone-acc"></a>

A standalone account owns the decision to enable or disable a protection plan in their Amazon Web Services account in a specific Amazon Web Services Region. 

If your account is associated with a GuardDuty administrator account through Amazon Organizations, or by the method of invitation, this section doesn't apply to your account. For more information, see [Configuring EKS Runtime Monitoring for multiple-account environments (API)](eks-runtime-monitoring-configuration-multiple-accounts.md).

After you enable Runtime Monitoring, ensure to install GuardDuty security agent through automated configuration or manual deployment. As a part of completing all the steps listed in the following procedure, make sure to install the security agent.

Based on the [Approaches to manage GuardDuty security agent in Amazon EKS clusters](how-runtime-monitoring-works-eks.md#eksrunmon-approach-to-monitor-eks-clusters), you can choose a preferred approach and follow the steps as mentioned in the following table.


|  **Preferred approach to manage GuardDuty security agent**  | **Steps** | 
| --- | --- | 
|  Manage security agent through GuardDuty (Monitor all EKS clusters)  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-standalone-acc.html)  | 
| Monitor all EKS clusters but exclude some of them (using exclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-standalone-acc.html)  | 
| Monitor selective EKS clusters (using inclusion tag) |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-standalone-acc.html)  | 
|  Manage the security agent manually  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-configuration-standalone-acc.html)  | 

# Migrating from EKS Runtime Monitoring to Runtime Monitoring
<a name="migrating-from-eksrunmon-to-runtime-monitoring"></a>

With the launch of GuardDuty Runtime Monitoring, the threat detection coverage has been expanded to Amazon ECS containers and Amazon EC2 instances. EKS Runtime Monitoring experience has now been consolidated into Runtime Monitoring. You can enable Runtime Monitoring and manage individual GuardDuty security agents for each resource type (Amazon EC2 instance, Amazon ECS cluster, and Amazon EKS cluster) for which you want to monitor the runtime behavior.

GuardDuty has consolidated the console experience for EKS Runtime Monitoring into Runtime Monitoring. GuardDuty recommends [Checking EKS Runtime Monitoring configuration status](checking-eks-runtime-monitoring-enable-status.md) and [Migrating from EKS Runtime Monitoring to Runtime Monitoring](#migrating-from-eksrunmon-to-runtime-monitoring).

As a part of migrating to Runtime Monitoring, ensure to [Disable EKS Runtime Monitoring](disabling-eks-runtime-monitoring.md). This is important because if you later choose to disable Runtime Monitoring and you do not disable EKS Runtime Monitoring, you will continue incurring usage cost for EKS Runtime Monitoring.

**To migrate from EKS Runtime Monitoring to Runtime Monitoring**

1. The GuardDuty console supports EKS Runtime Monitoring as a part of Runtime Monitoring. 

   You can start using Runtime Monitoring by [Checking EKS Runtime Monitoring configuration status](checking-eks-runtime-monitoring-enable-status.md) of your organization and accounts.

   Make sure to not disable EKS Runtime Monitoring before enabling Runtime Monitoring. If you disable EKS Runtime Monitoring, the Amazon EKS add-on management will also get disabled. Continue with the following steps in the listed order.

1. Make sure you meet all the [Prerequisites to enabling Runtime Monitoring](runtime-monitoring-prerequisites.md).

1. Enable Runtime Monitoring by replicating the same organization configuration settings for Runtime Monitoring as you have for EKS Runtime Monitoring. For more information, see [Enabling Runtime Monitoring](runtime-monitoring-configuration.md). 
   + If you have a standalone account, you need to enable Runtime Monitoring.

     If your GuardDuty security agent is deployed already, the corresponding settings are replicated automatically and you don't need to configure the settings again.
   + If you have an organization with auto-enablement settings, make sure to replicate the same auto-enablement settings for Runtime Monitoring.
   + If you have an organization with settings configured for existing active member accounts individually, make sure to enable Runtime Monitoring and configure the GuardDuty security agent for these members individually.

1. After you have ensured that the Runtime Monitoring and GuardDuty security agent settings are correct, [disable EKS Runtime Monitoring](https://docs.amazonaws.cn/guardduty/latest/ug/disabling-eks-runtime-monitoring.html) by using either the API or the Amazon CLI command. 

1. (Optional) if you want to clean any resource associated with the GuardDuty security agent, see [Disabling, uninstalling, and cleaning up resources in Runtime Monitoring](runtime-monitoring-agent-resource-clean-up.md).

If you want to continue using EKS Runtime Monitoring without enabling Runtime Monitoring, see [EKS Runtime Monitoring in GuardDuty](eks-runtime-monitoring-guardduty.md). Based on your use case, choose the steps to configure EKS Runtime Monitoring for a standalone account or for multiple member accounts.

# Checking EKS Runtime Monitoring configuration status
<a name="checking-eks-runtime-monitoring-enable-status"></a>

Use the following APIs or Amazon CLI commands to check the existing configuration status of EKS Runtime Monitoring. 

**To check existing EKS Runtime Monitoring configuration status in your account**
+ Run [GetDetector](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_GetDetector.html) to check the configuration status of your own account.
+ Alternatively, you can run the following command by using Amazon CLI:

  ```
  aws guardduty get-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --region us-east-1
  ```

  Make sure to replace the detector ID of your Amazon Web Services account and the current Region. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API.

**To check existing EKS Runtime Monitoring configuration status for your organization (as a delegated GuardDuty administrator account only)**
+ Run [DescribeOrganizationConfiguration](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html) to check the configuration status of your organization.

  Alternatively, you can run the following command using Amazon CLI:

  ```
  aws guardduty describe-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --region us-east-1
  ```

  Make sure to replace the detector ID with the detector ID of your delegated GuardDuty administrator account and the Region with your current Region. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API.

# Disabling EKS Runtime Monitoring after migrating to Runtime Monitoring
<a name="disabling-eks-runtime-monitoring"></a>

After you have ensured that the existing settings for your account or organization have been replicated to Runtime Monitoring, you can disable EKS Runtime Monitoring.

**To disable EKS Runtime Monitoring**
+ **To disable EKS Runtime Monitoring in your own account**

  Run the [UpdateDetector](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateDetector.html) API with your own regional *detector-id*.

  Alternatively, you can use the following Amazon CLI command. Replace *12abc34d567e8fa901bc2d34e56789f0* with your own regional *detector-id*.

  ```
  aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
  ```
+ **To disable EKS Runtime Monitoring for member accounts in your organization**

  Run the [UpdateMemberDetectors](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API with the regional *detector-id* of the delegated GuardDuty administrator account of the organization. 

  Alternatively, you can use the following Amazon CLI command. Replace *12abc34d567e8fa901bc2d34e56789f0* with the regional *detector-id* of the delegated GuardDuty administrator account of the organization and *111122223333* with the Amazon Web Services account ID of the member account for which you want to disable this feature.

  ```
  aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
  ```
+ **To update EKS Runtime Monitoring auto-enable settings for your organization**

  Perform the following step only if you have configured the EKS Runtime Monitoring auto-enablement settings to either new (`NEW`) or all (`ALL`) member accounts in the organization. If you had already configured it as `NONE`, then you can skip this step.
**Note**  
Setting the EKS Runtime Monitoring auto-enable configuration to `NONE` means that EKS Runtime Monitoring will not be enabled automatically for any existing member account or when a new member account joins your organization.

  Run the [UpdateOrganizationConfiguration](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) API with the regional *detector-id* of the delegated GuardDuty administrator account of the organization. 

  Alternatively, you can use the following Amazon CLI command. Replace *12abc34d567e8fa901bc2d34e56789f0* with the regional *detector-id* of the delegated GuardDuty administrator account of the organization. Replace the *EXISTING\$1VALUE* with your current configuration for auto-enabling GuardDuty.

  ```
  aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable-organization-members EXISTING_VALUE --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NONE"}]'
  ```