EKS Protection in Amazon GuardDuty - Amazon GuardDuty
How GuardDuty uses Kubernetes data sourcesConfiguring EKS Protection for a standalone accountConfiguring EKS Protection in multiple-account environmentsAutomatically disabling EKS Protection for new GuardDuty accounts
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

EKS Protection in Amazon GuardDuty

GuardDuty EKS Protection enables Amazon GuardDuty to detect suspicious activities and potential compromises of your Kubernetes clusters within Amazon Elastic Kubernetes Service (Amazon EKS).

EKS Protection is an optional enhancement that enables GuardDuty to consume Kubernetes data sources. The process for enabling or disabling GuardDuty EKS Protection is covered in this topic.

We strongly recommend that you do not disable EKS Protection in GuardDuty. If the feature is not enabled, the ability of GuardDuty to monitor or generate findings for suspicious activity within your Amazon EKS environment is limited.

How GuardDuty uses Kubernetes data sources

When EKS Protection is enabled, GuardDuty uses optional data sources to detect threats against Kubernetes API. Currently the following data sources can be ingested with Kubernetes protection enabled:

Kubernetes audit logs

Kubernetes audit logs are a feature of all Kubernetes clusters that capture chronological API activity from users, applications, and the control plane. When EKS Protection is enabled, GuardDuty ingests these logs from Amazon EKS to produce Kubernetes findings for your Amazon EKS resources without requiring you to turn on or store these logs. For more information see Kubernetes audit logs

When EKS Protection is enabled, GuardDuty immediately begins to analyze Kubernetes data sources from your Amazon EKS clusters and monitor them for malicious and suspicious activity. For more information, see How Amazon GuardDuty uses its data sources.

If you disable GuardDuty EKS Protection, GuardDuty immediately stops consuming this data source and stops monitoring your EKS clusters.

Configuring EKS Protection for a standalone account

You can disable or enable GuardDuty EKS Protection through the console or the UpdateDetector API operation.

To configure EKS Protection for your account, see the following configuration options.

To enable or disable EKS Protection

Choose one of the following access methods for instructions on enabling or disabling GuardDuty EKS Protection for a standalone account.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose EKS Protection.

  3. The EKS Protection pane lists the current status of Kubernetes protection for your account. You may enable or disable it at any time by selecting Enable or Disable respectively, then confirming your selection.

API

  • Run the updateDetector API operation using your own Regional detector ID and passing the dataSources object with [["Kubernetes Logs":"enable"]] set to true or false to enable or disable.

    You can also enable or disable GuardDuty EKS Protection using Amazon command line tools by running the following Amazon CLI command. Make sure to use your own valid detector ID.

    Note

    The following example code enables GuardDuty EKS Protection. To disable it, replace true with false.

    You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":true}}}'

Configuring EKS Protection in multiple-account environments

In a multi-account environment, only GuardDuty delegated administrator accounts can configure EKS Protection. GuardDuty delegated administrators can enable or disable Kubernetes protection for their member accounts. GuardDuty member accounts cannot enable or disable this data source.

GuardDuty administrator accounts that manage their member accounts with Amazon Organizations can choose to have EKS Protection automatically enabled on all new accounts in the organization. For more information, see Managing GuardDuty accounts with Amazon Organizations.

Automatically enabling EKS Protection for Organization member accounts

Note

This functionality is only available to GuardDuty delegated administrators with members incorporated through Amazon Organizations.

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

  3. Ensure that Auto-enable for GuardDuty is turned on. If it is off, you can enable it by choosing Enable from the banner or by choosing Auto-enable is OFF. This feature automatically enables GuardDuty for new member accounts when they join your organization and must be turned on to auto-enable EKS Protection.

  4. Once Auto-enable for GuardDuty is turned on, you can enable EKS Protection for your new members by selecting the Kubernetes Protection toggle icon. Choose Update Settings to confirm.

To manually enable or disable EKS Protection in member accounts

Choose your access method below for instructions on enabling or disabling Kubernetes protection for member accounts.

Console

To enable EKS Protection for all accounts

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. If you want to enable EKS Protection for all accounts at once, choose EKS Protection from the navigation pane.

  3. You will see a statement reflecting the number of accounts you manage that have EKS Protection enabled. Choose Enable all to enable EKS Protection for all accounts.

    Note

    If you manage accounts within an organization, this action also enables the Auto-enable feature to automatically enable EKS Protection for future member accounts within your organization.

To manually enable or disable EKS Protection in member accounts

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose Accounts.

    Note

    From the Accounts table, review the EKS Protection column. A green checkmark icon indicates that EKS Protection is enabled, and a blue dash icon indicates that it is disabled. If this column is blank, the account is not eligible for EKS Protection. You can also filter by Enabled or Disabled.

  3. Choose the account that you want to configure for Kubernetes Protection. From the Actions menu choose Enable EKS Protection or Disable EKS Protection. Confirm your selection to change the settings for the selected account. The table updates automatically to show your changes.

API

To selectively enable or disable EKS Protection for your member accounts, run the updateMemberDetectors API operation using your own detector ID. The following example shows how you can enable EKS Protection for a single member account. To disable it, replace true with false.

You can find your detectorId for your current Region on the Settings page in the https://console.amazonaws.cn/guardduty/ console, or by using the ListDetectors API.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 123456789012 --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":true}}}'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully run, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Note

If you use scripts to add new accounts and want to disable Kubernetes Protection in your new accounts, you can modify the createDetector API operation with the optional dataSources object as described in this topic.

Automatically disabling EKS Protection for new GuardDuty accounts

Important

By default, EKS Protection is enabled automatically for all GuardDuty accounts.

If you are a GuardDuty administrator enabling GuardDuty for the first time on a new account, and you do not want EKS Protection enabled by default, you can disable it by modifying the createDetector API operation with the optional dataSources object. The following example uses the Amazon CLI to enable a new GuardDuty detector with the EKS Protection disabled. 

aws guardduty create-detector --enable --data-sources '{"Kubernetes":{"AuditLogs":{"Enable":false}}}'