How Runtime Monitoring works with Amazon EKS clusters - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Runtime Monitoring works with Amazon EKS clusters

Runtime Monitoring uses an EKS add-on aws-guardduty-agent, also called as GuardDuty security agent. After GuardDuty security agent gets deployed on your EKS clusters, GuardDuty is able to receive runtime events for these EKS clusters.

You can monitor the runtime events of your Amazon EKS clusters at either account or cluster level. You can manage the GuardDuty security agent for only those Amazon EKS clusters that you want to monitor for threat detection. You can manage the GuardDuty security agent either manually or by allowing GuardDuty to manage it on your behalf, by using Automated agent configuration.

When you use the automated agent configuration approach to allow GuardDuty to manage the deployment of the security agent on your behalf, it will automatically create an Amazon Virtual Private Cloud (Amazon VPC) endpoint. The security agent delivers the runtime events to GuardDuty by using this Amazon VPC endpoint.

Note

There is no additional cost for the usage of the VPC endpoint.

Presently, GuardDuty supports Amazon EKS clusters running on Amazon EC2 instances. GuardDuty doesn't support Amazon EKS clusters running on Amazon Fargate.