Managing automated security agent for Amazon EC2 instance - Amazon GuardDuty
Migrating from Amazon EC2 manual agent to automated agentConfiguring GuardDuty agent for standalone accountConfiguring GuardDuty agent in multiple-account environment
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing automated security agent for Amazon EC2 instance

Note

Before you continue, make sure to follow all the Prerequisites for Amazon EC2 instance support.

Migrating from Amazon EC2 manual agent to automated agent

This section applies to your Amazon Web Services account if you were previously managing the security agent manually and now want to use the GuardDuty automated agent configuration. If this doesn't apply to you, continue with configuring the security agent for your account.

When you enable GuardDuty automated agent, GuardDuty manages the security agent on your behalf. For information about what steps does GuardDuty take, see Use automated agent configuration (recommended).

Clean up resources

Delete SSM association

  • Delete any SSM association that you may have created when you were managing the security agent for Amazon EC2 manually. For more information, see Deleting associations.

  • This is done so that GuardDuty can take over the management of SSM actions whether you use automated agents at the account level or instance level (by using inclusion or exclusion tags). For more information about what SSM actions can GuardDuty take, see Service-linked role permissions for GuardDuty.

  • When you delete an SSM association that was previously created for managing the security agent manually, there might be a brief period of overlap when GuardDuty creates an SSM association for managing the security agent automatically. During this period, you could experience conflicts based on SSM scheduling. For more information, see Amazon EC2 SSM scheduling.

Manage inclusion and exclusion tags for your Amazon EC2 instances

  • Inclusion tags – When you don't enable GuardDuty automated agent configuration but tag any of your Amazon EC2 instances with an inclusion tag (GuardDutyManaged:true), GuardDuty creates an SSM association that will install and manage the security agent on the selected EC2 instances. This is an expected behavior that helps you manage the security agent on selected EC2 instances only. For more information, see How Runtime Monitoring works with Amazon EC2 instances.

    To prevent GuardDuty from installing and managing the security agent, remove the inclusion tag from these EC2 instances. For more information, see Add and delete tags in the Amazon EC2 User Guide.

  • Exclusion tags – When you want to enable GuardDuty automated agent configuration for all the EC2 instances in your account, make sure that no EC2 instance is tagged with an exclusion tag (GuardDutyManaged:false).

Configuring GuardDuty agent for standalone account

Configure for all instances
To configure Runtime Monitoring for all instances in your standalone account

  1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, choose Runtime Monitoring.

  3. Under the Configuration tab, choose Edit.

  4. In the EC2 section, choose Enable.

  5. Choose Save.

  6. You can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to your account.

    1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

    2. Open the Targets tab for the SSM association (GuardDutyRuntimeMonitoring-do-not-delete). Observe that the Tag key appears as InstanceIds.

Using inclusion tag in selected instances
To configure GuardDuty security agent for selected Amazon EC2 instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:true tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

  3. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags.

    Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

    1. Open the Targets tab for the SSM association that gets created (GuardDutyRuntimeMonitoring-do-not-delete). The Tag key appears as tag:GuardDutyManaged.

Using exclusion tag in selected instances
Note

Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

To configure GuardDuty security agent for selected Amazon EC2 instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:false tag to the instances that you don't want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

  3. For the exclusion tags to be available in the instance metadata, perform the following steps:

    1. Under the Details tab of your instance, view the status for Allow tags in instance metadata.

      If it is currently Disabled, use the following steps to change the status to Enabled. Otherwise, skip this step.

    2. Select the instance for which you want to allow tags.

    3. Under the Actions menu, choose Instance settings.

    4. Choose Allow tags in instance metadata.

    5. Under Access to tags in instance metadata, select Allow.

    6. Choose Save.

  4. After you have added the exclusion tag perform the same steps as sepcified in the Configure for all instances tab.

You can now assess runtime Coverage for Amazon EC2 instance.

Configuring GuardDuty agent in multiple-account environment

Configure for all instances

If you chose Enable for all accounts for Runtime Monitoring, then choose one of the following options for the delegated GuardDuty administrator account:

  • Option 1

    Under Automated agent configuration, in the EC2 section, select Enable for all accounts.

  • Option 2

    • Under Automated agent configuration, in the EC2 section, select Configure accounts manually.

    • Under Delegated Administrator (this account), choose Enable.

  • Choose Save.

If you chose Configure accounts manually for Runtime Monitoring, then perform the following steps:

  • Under Automated agent configuration, in the EC2 section, select Configure accounts manually.

  • Under Delegated Administrator (this account), choose Enable.

  • Choose Save.

Regardless of which option you choose to enable the automated agent configuration for delegated GuardDuty administrator account, you can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to this account.

  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. Open the Targets tab for the SSM association (GuardDutyRuntimeMonitoring-do-not-delete). Observe that the Tag key appears as InstanceIds.

Using inclusion tag in selected instances
To configure GuardDuty agent for selected Amazon EC2 instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:true tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

    Adding this tag will permit GuardDuty to install and manage the security agent for these selected EC2 instances. You don't need to enable automated agent configuration explicitly.

  3. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags.

    Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

    1. Open the Targets tab for the SSM association that gets created (GuardDutyRuntimeMonitoring-do-not-delete). The Tag key appears as tag:GuardDutyManaged.

Using exclusion tag in selected instances
Note

Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

To configure GuardDuty agent for selected Amazon EC2 instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:false tag to the instances that you don't want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

  3. For the exclusion tags to be available in the instance metadata, perform the following steps:

    1. Under the Details tab of your instance, view the status for Allow tags in instance metadata.

      If it is currently Disabled, use the following steps to change the status to Enabled. Otherwise, skip this step.

    2. Under the Actions menu, choose Instance settings.

    3. Choose Allow tags in instance metadata.

  4. After you have added the exclusion tag, perform the same steps as specified in the Configure for all instances tab.

You can now assess the runtime Coverage for Amazon EC2 instance.

Note

It may take up to 24 hours to update the configuration for the member accounts.

Configure for all instances

The following steps assume that you chose Enable for all accounts in the Runtime Monitoring section:

  1. Choose Enable for all accounts in the Automated agent configuration section for Amazon EC2.

  2. You can verify that the SSM association that GuardDuty creates (GuardDutyRuntimeMonitoring-do-not-delete) will install and manage the security agent on all the EC2 resources belonging to this account.

    1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

    2. Open the Targets tab for the SSM association. Observe that the Tag key appears as InstanceIds.

Using inclusion tag in selected instances
To configure GuardDuty agent for selected Amazon EC2 instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:true tag to the EC2 instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

    Adding this tag will permit GuardDuty to install and manage the security agent for these selected EC2 instances. You don't need to enable automated agent configuration explicitly.

  3. You can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to your account.

    1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

    2. Open the Targets tab for the SSM association (GuardDutyRuntimeMonitoring-do-not-delete). Observe that the Tag key appears as InstanceIds.

Using exclusion tag in selected instances
Note

Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

To configure GuardDuty security agent for selected Amazon EC2 instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:false tag to the instances that you don't want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

  3. For the exclusion tags to be available in the instance metadata, perform the following steps:

    1. Under the Details tab of your instance, view the status for Allow tags in instance metadata.

      If it is currently Disabled, use the following steps to change the status to Enabled. Otherwise, skip this step.

    2. Under the Actions menu, choose Instance settings.

    3. Choose Allow tags in instance metadata.

  4. After you have added the exclusion tag, perform the same steps as specified in the Configure for all instances tab.

You can now assess the runtime Coverage for Amazon EC2 instance.

The delegated GuardDuty administrator account can set the automated agent configuration for Amazon EC2 resource to enable automatically for the new member accounts as they join the organization.

Configure for all instances

The following steps assume that you selected Automatically enable for new member accounts under the Runtime Monitoring section:

  1. In the navigation pane, choose Runtime Monitoring.

  2. On the Runtime Monitoring page, choose Edit.

  3. Select Automatically enable for new member accounts. This step ensures that whenever a new account joins your organization, automated agent configuration for Amazon EC2 will be automatically enabled for their account. Only the delegated GuardDuty administrator account of the organization can modify this selection.

  4. Choose Save.

When a new member account joins the organization, this configuration will be enabled for them automatically. For GuardDuty to manage the security agent for the Amazon EC2 instances that belong to this new member account, make sure that all the prerequisites For EC2 instance are met.

When an SSM association gets created (GuardDutyRuntimeMonitoring-do-not-delete), you can verify that the SSM association will install and manage the security agent on all the EC2 instances belonging to the new member account.

Using inclusion tag in selected instances
To configure GuardDuty security agent for selected instances in your account

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:true tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

    Adding this tag will permit GuardDuty to install and manage the security agent for these selected instances. You don't need to enable automated agent configuration explicitly.

  3. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags.

    1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

    2. Open the Targets tab for the SSM association that gets created. The Tag key appears as tag:GuardDutyManaged.

Using exclusion tag in selected instances
Note

Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

To configure GuardDuty security agent for specific instances in your standalone account

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:false tag to the instances that you don't want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

  3. For the exclusion tags to be available in the instance metadata, perform the following steps:

    1. Under the Details tab of your instance, view the status for Allow tags in instance metadata.

      If it is currently Disabled, use the following steps to change the status to Enabled. Otherwise, skip this step.

    2. Under the Actions menu, choose Instance settings.

    3. Choose Allow tags in instance metadata.

  4. After you have added the exclusion tag, perform the same steps as specified in the Configure for all instances tab.

You can now assess the runtime Coverage for Amazon EC2 instance.

Configure for all instances

  1. On the Accounts page, select one or more accounts for which you want to enable Runtime Monitoring-Automated agent configuration (Amazon EC2). Make sure that the accounts that you select in this step already have Runtime Monitoring enabled.

  2. From Edit protection plans, choose the appropriate option to enable Runtime Monitoring-Automated agent configuration (Amazon EC2).

  3. Choose Confirm.

Using inclusion tag in selected instances
To configure GuardDuty security agent for selected instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:true tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

    Adding this tag will permit GuardDuty to manage the security agent for your tagged Amazon EC2 instances. You don't need to explicitly enable automated agent configuration (Runtime Monitoring - Automated agent configuration (EC2).

Using exclusion tag in selected instances
Note

Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

To configure GuardDuty security agent for selected instances

  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Add the GuardDutyManaged:false tag to the EC2 instances that you don't want GuardDuty to monitor or detect potential threats. For information about adding this tag, see To add a tag to an individual resource.

  3. For the exclusion tags to be available in the instance metadata, perform the following steps:

    1. Under the Details tab of your instance, view the status for Allow tags in instance metadata.

      If it is currently Disabled, use the following steps to change the status to Enabled. Otherwise, skip this step.

    2. Under the Actions menu, choose Instance settings.

    3. Choose Allow tags in instance metadata.

  4. After you have added the exclusion tag, perform the same steps as specified in the Configure for all instances tab.

You can now assess Coverage for Amazon EC2 instance.