Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
When you enable Runtime Monitoring for your account, Amazon GuardDuty may generate
Runtime Monitoring finding types
that indicate potential security issues in your Amazon environment. The potential security issues indicate either a compromised
Amazon EC2 instance, container workload, an Amazon EKS cluster, or a set of compromised credentials in your
Amazon environment. The security agent monitors runtime events from multiple resource types. To identify the potentially
compromised resource, view Resource type in the generated finding details in the GuardDuty
console. The following section describes the recommended remediation steps for each resource
type.
- Instance
-
If the Resource type in the finding details is
Instance, it indicates that either an EC2 instance or an EKS node is
potentially compromised.
- EKSCluster
-
If the Resource type in the finding details is
EKSCluster, it indicates that either a pod or a container inside an EKS
cluster is potentially compromised.
- ECSCluster
-
If the Resource type in the finding details is ECSCluster,
it indicates that either an ECS task or a container inside an ECS task is potentially compromised.
-
Identify the affected ECS cluster
The GuardDuty Runtime Monitoring finding provides the ECS cluster details in the finding's details panel or in
the resource.ecsClusterDetails
section in the finding JSON.
-
Identify the affected ECS task
The GuardDuty Runtime Monitoring finding provides the ECS task details in the finding's details panel or in
the resource.ecsClusterDetails.taskDetails
section in the finding JSON.
-
Isolate the affected task
Isolate the impacted task by denying all ingress and egress traffic to the task. A deny all
traffic rule may help stop an attack that is already underway, by severing
all connections to the task.
-
Remediate the compromised task
Identify the vulnerability that compromised the task.
Implement the fix for that vulnerability and start new a replacement task.
Stop the vulnerable task.
- Container
-
If the Resource type in the finding details is
Container, it indicates that a standalone container is potentially
compromised.
When a GuardDuty finding indicates a task compromise, the image used to launch the task could be malicious or
compromised. GuardDuty findings identify the container image within the
resource.ecsClusterDetails.taskDetails.containers.image
field. You can determine whether or not the image is
malicious by scanning it for malware.
To remediate a compromised container image
Stop using the image immediately and remove it from your image repository.
Identify all of the tasks that are using this image.
Stop all of the tasks that are using the compromised image. Update their task definitions so that
they stop using the compromised image.