EKS Protection in Amazon GuardDuty
GuardDuty EKS Protection enables Amazon GuardDuty to detect suspicious activities and potential compromises of your Kubernetes clusters within Amazon Elastic Kubernetes Service (Amazon EKS).
EKS Protection is an optional enhancement that enables GuardDuty to consume Kubernetes data sources. The process for enabling or disabling GuardDuty EKS Protection is covered in this topic.
We strongly recommend that you do not disable EKS Protection in GuardDuty. If the feature is not enabled, the ability of GuardDuty to monitor or generate findings for suspicious activity within your Amazon EKS environment is limited.
How GuardDuty uses Kubernetes data sources
When EKS Protection is enabled, GuardDuty uses optional data sources to detect threats against Kubernetes API. Currently the following data sources can be ingested with Kubernetes protection enabled:
- Kubernetes audit logs
-
Kubernetes audit logs are a feature of all Kubernetes clusters that capture chronological API activity from users, applications, and the control plane. When EKS Protection is enabled, GuardDuty ingests these logs from Amazon EKS to produce Kubernetes findings for your Amazon EKS resources without requiring you to turn on or store these logs. For more information see Kubernetes audit logs
When EKS Protection is enabled, GuardDuty immediately begins to analyze Kubernetes data sources from your Amazon EKS clusters and monitor them for malicious and suspicious activity. For more information, see How Amazon GuardDuty uses its data sources.
If you disable GuardDuty EKS Protection, GuardDuty immediately stops consuming this data source and stops monitoring your EKS clusters.
Configuring EKS Protection for a standalone account
You can disable or enable GuardDuty EKS Protection through the console or the
UpdateDetector
API operation.
To configure EKS Protection for your account, see the following configuration options.
To enable or disable EKS Protection
Choose one of the following access methods for instructions on enabling or disabling GuardDuty EKS Protection for a standalone account.
Configuring EKS Protection in multiple-account environments
In a multi-account environment, only GuardDuty delegated administrator accounts can configure EKS Protection. GuardDuty delegated administrators can enable or disable Kubernetes protection for their member accounts. GuardDuty member accounts cannot enable or disable this data source.
GuardDuty administrator accounts that manage their member accounts with Amazon Organizations can choose to have EKS Protection automatically enabled on all new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.
Automatically enabling EKS Protection for Organization member accounts
This functionality is only available to GuardDuty delegated administrators with members incorporated through Amazon Organizations.
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, under Settings, choose Accounts.
-
Ensure that Auto-enable for GuardDuty is turned on. If it is off, you can enable it by choosing Enable from the banner or by choosing Auto-enable is OFF. This feature automatically enables GuardDuty for new member accounts when they join your organization and must be turned on to auto-enable EKS Protection.
-
Once Auto-enable for GuardDuty is turned on, you can enable EKS Protection for your new members by selecting the Kubernetes Protection toggle icon. Choose Update Settings to confirm.
To manually enable or disable EKS Protection in member accounts
Choose your access method below for instructions on enabling or disabling Kubernetes protection for member accounts.
Automatically disabling EKS Protection for new GuardDuty accounts
By default, EKS Protection is enabled automatically for all GuardDuty accounts.
If you are a GuardDuty administrator enabling GuardDuty for the first time on a new account, and you
do not want EKS Protection enabled by default, you can disable it by modifying the
createDetector API operation with the optional
dataSources
object. The following example uses the Amazon CLI to enable
a new GuardDuty detector with the EKS Protection disabled.
aws guardduty create-detector --enable --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":false}}}'