Kubernetes Protection in Amazon GuardDuty
GuardDuty Kubernetes Protection enables Amazon GuardDuty to detect suspicious activities and potential compromises of your Kubernetes clusters within Amazon Elastic Kubernetes Service (Amazon EKS).
Kubernetes Protection is an optional enhancement that enables GuardDuty to consume Kubernetes data sources. The process for enabling or disabling GuardDuty Kubernetes Protection is covered in this topic.
We strongly recommend that you do not disable Kubernetes Protection in GuardDuty. If the feature is not enabled, the ability of GuardDuty to monitor or generate findings for suspicious activity within your Amazon EKS environment is limited.
Understanding how GuardDuty uses Kubernetes data sources
When Kubernetes Protection is enabled, GuardDuty uses optional data sources to detect threats against Kubernetes API. Currently the following data sources can be ingested with Kubernetes protection enabled:
- Kubernetes audit logs
-
Kubernetes audit logs are a feature of all Kubernetes clusters that capture chronological API activity from users, applications, and the control plane. When Kubernetes Protection is enabled, GuardDuty ingests these logs from Amazon EKS to produce Kubernetes findings for your Amazon EKS resources without requiring you to turn on or store these logs. For more information see Kubernetes audit logs
When Kubernetes Protection is enabled, GuardDuty immediately begins to analyze Kubernetes data sources from your Amazon EKS clusters and monitor them for malicious and suspicious activity. For more information, see How Amazon GuardDuty uses its data sources.
If you disable GuardDuty Kubernetes Protection, GuardDuty immediately stops consuming this data source and stops monitoring your EKS clusters.
Configuring Kubernetes Protection for a standalone account
You can disable or enable GuardDuty Kubernetes Protection through the console or the
UpdateDetector
API operation.
To configure Kubernetes Protection for your account, see the following configuration options.
To enable or disable Kubernetes Protection
Choose one of the following access methods for instructions on enabling or disabling GuardDuty Kubernetes Protection for a standalone account.
Configuring Kubernetes Protection in multiple-account environments
In a multi-account environment, only GuardDuty delegated administrator accounts can configure Kubernetes Protection. GuardDuty delegated administrators can enable or disable Kubernetes protection for their member accounts. GuardDuty member accounts cannot enable or disable this data source.
GuardDuty administrator accounts that manage their member accounts with Amazon Organizations can choose to have Kubernetes Protection automatically enabled on all new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.
Automatically enabling Kubernetes Protection for Organization member accounts
This functionality is only available to GuardDuty delegated administrators with members incorporated through Amazon Organizations.
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, under Settings, choose Accounts.
-
Ensure that Auto-enable for GuardDuty is turned on. If it is off, you can enable it by choosing Enable from the banner or by choosing Auto-enable is OFF. This feature automatically enables GuardDuty for new member accounts when they join your organization and must be turned on to auto-enable Kubernetes Protection.
-
Once Auto-enable for GuardDuty is turned on, you can enable Kubernetes Protection for your new members by selecting the Kubernetes Protection toggle icon. Choose Update Settings to confirm.
To manually enable or disable Kubernetes Protection in member accounts
Choose your access method below for instructions on enabling or disabling Kubernetes protection for member accounts.
Automatically disabling Kubernetes Protection for new GuardDuty accounts
By default, Kubernetes Protection is enabled automatically for all GuardDuty accounts.
If you are a GuardDuty administrator enabling GuardDuty for the first time on a new account, and you
do not want Kubernetes Protection enabled by default, you can disable it by modifying the
createDetector
API operation with the optional dataSources
object. The following example
uses the Amazon CLI to enable a new GuardDuty detector with the Kubernetes Protection disabled.
aws guardduty create-detector --enable --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":false}}}'