Kubernetes Protection in Amazon GuardDuty - Amazon GuardDuty
Understanding how GuardDuty uses Kubernetes data sourcesConfiguring Kubernetes Protection for a standalone accountConfiguring Kubernetes Protection in multiple-account environmentsAutomatically disabling Kubernetes Protection for new GuardDuty accounts
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Kubernetes Protection in Amazon GuardDuty

GuardDuty Kubernetes Protection enables Amazon GuardDuty to detect suspicious activities and potential compromises of your Kubernetes clusters within Amazon Elastic Kubernetes Service (Amazon EKS).

Kubernetes Protection is an optional enhancement that enables GuardDuty to consume Kubernetes data sources. The process for enabling or disabling GuardDuty Kubernetes Protection is covered in this topic.

We strongly recommend that you do not disable Kubernetes Protection in GuardDuty. If the feature is not enabled, the ability of GuardDuty to monitor or generate findings for suspicious activity within your Amazon EKS environment is limited.

Understanding how GuardDuty uses Kubernetes data sources

When Kubernetes Protection is enabled, GuardDuty uses optional data sources to detect threats against Kubernetes API. Currently the following data sources can be ingested with Kubernetes protection enabled:

Kubernetes audit logs

Kubernetes audit logs are a feature of all Kubernetes clusters that capture chronological API activity from users, applications, and the control plane. When Kubernetes Protection is enabled, GuardDuty ingests these logs from Amazon EKS to produce Kubernetes findings for your Amazon EKS resources without requiring you to turn on or store these logs. For more information see Kubernetes audit logs

When Kubernetes Protection is enabled, GuardDuty immediately begins to analyze Kubernetes data sources from your Amazon EKS clusters and monitor them for malicious and suspicious activity. For more information, see How Amazon GuardDuty uses its data sources.

If you disable GuardDuty Kubernetes Protection, GuardDuty immediately stops consuming this data source and stops monitoring your EKS clusters.

Configuring Kubernetes Protection for a standalone account

You can disable or enable GuardDuty Kubernetes Protection through the console or the UpdateDetector API operation.

To configure Kubernetes Protection for your account, see the following configuration options.

To enable or disable Kubernetes Protection

Choose one of the following access methods for instructions on enabling or disabling GuardDuty Kubernetes Protection for a standalone account.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Kubernetes Protection.

  3. The Kubernetes protection pane lists the current status of Kubernetes protection for your account. You may enable or disable it at any time by selecting Enable or Disable respectively, then confirming your selection.

API

  • Run the updateDetector API operation using your own Regional detector ID and passing the dataSources object with [["Kubernetes Logs":"enable"]] set to true or false to enable or disable.

    You can also enable or disable GuardDuty Kubernetes Protection using Amazon command line tools by running the following Amazon CLI command. Make sure to use your own valid detector ID.

    Note

    The following example code enables GuardDuty Kubernetes Protection. To disable it, replace true with false.

    You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":true}}}'

Configuring Kubernetes Protection in multiple-account environments

In a multi-account environment, only GuardDuty delegated administrator accounts can configure Kubernetes Protection. GuardDuty delegated administrators can enable or disable Kubernetes protection for their member accounts. GuardDuty member accounts cannot enable or disable this data source.

GuardDuty administrator accounts that manage their member accounts with Amazon Organizations can choose to have Kubernetes Protection automatically enabled on all new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.

Automatically enabling Kubernetes Protection for Organization member accounts

Note

This functionality is only available to GuardDuty delegated administrators with members incorporated through Amazon Organizations.

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

  3. Ensure that Auto-enable for GuardDuty is turned on. If it is off, you can enable it by choosing Enable from the banner or by choosing Auto-enable is OFF. This feature automatically enables GuardDuty for new member accounts when they join your organization and must be turned on to auto-enable Kubernetes Protection.

  4. Once Auto-enable for GuardDuty is turned on, you can enable Kubernetes Protection for your new members by selecting the Kubernetes Protection toggle icon. Choose Update Settings to confirm.

To manually enable or disable Kubernetes Protection in member accounts

Choose your access method below for instructions on enabling or disabling Kubernetes protection for member accounts.

Console

To enable Kubernetes Protection for all accounts

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. If you want to enable Kubernetes Protection for all accounts at once, choose Kubernetes Protection from the navigation pane.

  3. You will see a statement reflecting the number of accounts you manage that have Kubernetes Protection enabled. Choose Enable all to enable Kubernetes Protection for all accounts.

    Note

    If you manage accounts within an organization, this action also enables the Auto-enable feature to automatically enable Kubernetes Protection for future member accounts within your organization.

To manually enable or disable Kubernetes Protection in member accounts

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

    Note

    From the Accounts table, review the Kubernetes Protection column. A green checkmark icon indicates that Kubernetes Protection is enabled, and a blue dash icon indicates that it is disabled. If this column is blank, the account is not eligible for Kubernetes Protection. You can also filter by Enabled or Disabled.

  3. Choose the account that you want to configure got Kubernetes Protection. From the Actions menu choose Enable Kubernetes Protection or Disable Kubernetes Protection. Confirm your selection to change the settings for the selected account. The table updates automatically to show your changes.

API

To selectively enable or disable Kubernetes Protection for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable Kubernetes Protection for a single member account. To disable it, replace true with false.

You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":true}}}'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully run, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Note

If you use scripts to add new accounts and want to disable Kubernetes Protection in your new accounts, you can modify the createDetector API operation with the optional dataSources object as described in this topic.

Automatically disabling Kubernetes Protection for new GuardDuty accounts

Important

By default, Kubernetes Protection is enabled automatically for all GuardDuty accounts.

If you are a GuardDuty administrator enabling GuardDuty for the first time on a new account, and you do not want Kubernetes Protection enabled by default, you can disable it by modifying the createDetector API operation with the optional dataSources object. The following example uses the Amazon CLI to enable a new GuardDuty detector with the Kubernetes Protection disabled. 

aws guardduty create-detector --enable --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":false}}}'