# Enabling GuardDuty automated agent for Amazon EC2 resources in a standalone account A standalone account owns the decision to enable or disable a protection plan in their Amazon Web Services account in a specific Amazon Web Services Region. If your account is associated with a GuardDuty administrator account through Amazon Organizations, or by the method of invitation, this section doesn't apply to your account. For more information, see [Enabling Runtime Monitoring for multiple-account environments](enable-runtime-monitoring-multiple-acc-env.md). After you enable Runtime Monitoring, ensure to install GuardDuty security agent through automated configuration or manual deployment. As a part of completing all the steps listed in the following procedure, make sure to install the security agent. Based on your preference to monitor all or selective Amazon EC2 resources, choose a preferred method and follow the steps in the following table. ------ #### [ Configure for all instances ] **To configure Runtime Monitoring for all instances in your standalone account** 1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/). 1. In the navigation pane, choose **Runtime Monitoring**. 1. Under the **Configuration** tab, choose **Edit**. 1. In the **EC2** section, choose **Enable**. 1. Choose **Save**. 1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to your account. 1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/). 1. Open the **Targets** tab for the SSM association (`GuardDutyRuntimeMonitoring-do-not-delete`). Observe that the **Tag key** appears as **InstanceIds**. ------ #### [ Using inclusion tag in selected instances ] **To configure GuardDuty security agent for selected Amazon EC2 instances** 1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. Add the `GuardDutyManaged`:`true` tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags). 1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/). 1. Open the **Targets** tab for the SSM association that gets created (`GuardDutyRuntimeMonitoring-do-not-delete`). The **Tag key** appears as **tag:GuardDutyManaged**. ------ #### [ Using exclusion tag in selected instances ] **Note** Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration. **To configure GuardDuty security agent for selected Amazon EC2 instances** 1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. Add the `GuardDutyManaged`:`false` tag to the instances that you **don't** want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags). 1. **For the [exclusion tags to be available](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#general-runtime-monitoring-prereq-ec2) in the instance metadata, perform the following steps:** 1. Under the **Details** tab of your instance, view the status for **Allow tags in instance metadata**. If it is currently **Disabled**, use the following steps to change the status to **Enabled**. Otherwise, skip this step. 1. Select the instance for which you want to allow tags. 1. Under the **Actions** menu, choose **Instance settings**. 1. Choose **Allow tags in instance metadata**. 1. Under **Access to tags in instance metadata**, select **Allow**. 1. Choose **Save**. 1. After you have added the exclusion tag perform the same steps as sepcified in the **Configure for all instances** tab. ------ You can now assess runtime [Runtime coverage and troubleshooting for Amazon EC2 instance](gdu-assess-coverage-ec2.md).