# Enabling automated security agent for Amazon EC2 instance
Automated agent on Amazon EC2 resource

This section includes steps to enable GuardDuty automated agent for your Amazon EC2 resources in your standalone account or a multiple-account environment. 

Before you continue, make sure to follow all the [Prerequisites for Amazon EC2 instance support](prereq-runtime-monitoring-ec2-support.md).

If you are migrating from managing the GuardDuty agent manually to enabling GuardDuty automated agent, then before following the steps to enable GuardDuty automated agent, see [Migrating from Amazon EC2 manual agent to automated agent](migrate-from-ec2-manual-to-automated-agent.md).

# Enabling GuardDuty agent for Amazon EC2 resources in multiple-account environment
Enabling GuardDuty agent in multiple-account environment

In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable automated agent configuration for the resource types belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using Amazon Organizations. For more information about multi-account environments, see [Managing multiple accounts](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty_accounts.html).

## For delegated GuardDuty administrator account


------
#### [ Configure for all instances ]

If you chose **Enable for all accounts** for Runtime Monitoring, then choose one of the following options for the delegated GuardDuty administrator account:
+ **Option 1**

  Under **Automated agent configuration**, in the **EC2** section, select **Enable for all accounts**.
+ **Option 2**
  + Under **Automated agent configuration**, in the **EC2** section, select **Configure accounts manually**.
  + Under **Delegated Administrator (this account)**, choose **Enable**.
+ Choose **Save**.

If you chose **Configure accounts manually** for Runtime Monitoring, then perform the following steps:
+ Under **Automated agent configuration**, in the **EC2** section, select **Configure accounts manually**.
+ Under **Delegated Administrator (this account)**, choose **Enable**.
+ Choose **Save**.

Regardless of which option you choose to enable the automated agent configuration for delegated GuardDuty administrator account, you can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to this account.

1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

1. Open the **Targets** tab for the SSM association (`GuardDutyRuntimeMonitoring-do-not-delete`). Observe that the **Tag key** appears as **InstanceIds**. 

------
#### [ Using inclusion tag in selected instances ]

**To configure GuardDuty agent for selected Amazon EC2 instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`true` tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

   Adding this tag will permit GuardDuty to install and manage the security agent for these selected EC2 instances. You **don't** need to enable automated agent configuration explicitly.

1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags. 

   Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

   1. Open the **Targets** tab for the SSM association that gets created (`GuardDutyRuntimeMonitoring-do-not-delete`). The **Tag key** appears as **tag:GuardDutyManaged**.

------
#### [ Using exclusion tag in selected instances ]

**Note**  
Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

**To configure GuardDuty agent for selected Amazon EC2 instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`false` tag to the instances that you **don't** want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

1. 

**For the [exclusion tags to be available](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#general-runtime-monitoring-prereq-ec2) in the instance metadata, perform the following steps:**

   1. Under the **Details** tab of your instance, view the status for **Allow tags in instance metadata**.

      If it is currently **Disabled**, use the following steps to change the status to **Enabled**. Otherwise, skip this step.

   1. Under the **Actions** menu, choose **Instance settings**.

   1. Choose **Allow tags in instance metadata**.

1. After you have added the exclusion tag, perform the same steps as specified in the **Configure for all instances** tab.

------

You can now assess the runtime [Runtime coverage and troubleshooting for Amazon EC2 instance](gdu-assess-coverage-ec2.md).

## Auto-enable for all member accounts


**Note**  
It may take up to 24 hours to update the configuration for the member accounts.

------
#### [ Configure for all instances ]

The following steps assume that you chose **Enable for all accounts** in the Runtime Monitoring section:

1. Choose **Enable for all accounts** in the **Automated agent configuration** section for **Amazon EC2**. 

1. You can verify that the SSM association that GuardDuty creates (`GuardDutyRuntimeMonitoring-do-not-delete`) will install and manage the security agent on all the EC2 resources belonging to this account.

   1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

   1. Open the **Targets** tab for the SSM association. Observe that the **Tag key** appears as **InstanceIds**. 

------
#### [ Using inclusion tag in selected instances ]

**To configure GuardDuty agent for selected Amazon EC2 instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`true` tag to the EC2 instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

   Adding this tag will permit GuardDuty to install and manage the security agent for these selected EC2 instances. You **don't ** need to enable automated agent configuration explicitly.

1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to your account.

   1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

   1. Open the **Targets** tab for the SSM association (`GuardDutyRuntimeMonitoring-do-not-delete`). Observe that the **Tag key** appears as **InstanceIds**. 

------
#### [ Using exclusion tag in selected instances ]

**Note**  
Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

**To configure GuardDuty security agent for selected Amazon EC2 instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`false` tag to the instances that you **don't** want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

1. 

**For the [exclusion tags to be available](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#general-runtime-monitoring-prereq-ec2) in the instance metadata, perform the following steps:**

   1. Under the **Details** tab of your instance, view the status for **Allow tags in instance metadata**.

      If it is currently **Disabled**, use the following steps to change the status to **Enabled**. Otherwise, skip this step.

   1. Under the **Actions** menu, choose **Instance settings**.

   1. Choose **Allow tags in instance metadata**.

1. After you have added the exclusion tag, perform the same steps as specified in the **Configure for all instances** tab.

------

You can now assess the runtime [Runtime coverage and troubleshooting for Amazon EC2 instance](gdu-assess-coverage-ec2.md).

## Auto-enable for new member accounts only


The delegated GuardDuty administrator account can set the automated agent configuration for Amazon EC2 resource to enable automatically for the new member accounts as they join the organization. 

------
#### [ Configure for all instances ]

The following steps assume that you selected **Automatically enable for new member accounts** under the **Runtime Monitoring** section:

1. In the navigation pane, choose **Runtime Monitoring**.

1. On the **Runtime Monitoring** page, choose **Edit**.

1. Select **Automatically enable for new member accounts**. This step ensures that whenever a new account joins your organization, automated agent configuration for Amazon EC2 will be automatically enabled for their account. Only the delegated GuardDuty administrator account of the organization can modify this selection.

1. Choose **Save**.

When a new member account joins the organization, this configuration will be enabled for them automatically. For GuardDuty to manage the security agent for the Amazon EC2 instances that belong to this new member account, make sure that all the prerequisites [For EC2 instance](prereq-runtime-monitoring-ec2-support.md) are met.

When an SSM association gets created (`GuardDutyRuntimeMonitoring-do-not-delete`), you can verify that the SSM association will install and manage the security agent on all the EC2 instances belonging to the new member account.
+ Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).
+ Open the **Targets** tab for the SSM association. Observe that the **Tag key** appears as **InstanceIds**.

------
#### [ Using inclusion tag in selected instances ]

**To configure GuardDuty security agent for selected instances in your account**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`true` tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

   Adding this tag will permit GuardDuty to install and manage the security agent for these selected instances. You don't need to enable automated agent configuration explicitly.

1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags. 

   1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

   1. Open the **Targets** tab for the SSM association that gets created. The **Tag key** appears as **tag:GuardDutyManaged**.

------
#### [ Using exclusion tag in selected instances ]

**Note**  
Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

**To configure GuardDuty security agent for specific instances in your standalone account**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`false` tag to the instances that you **don't** want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

1. 

**For the [exclusion tags to be available](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#general-runtime-monitoring-prereq-ec2) in the instance metadata, perform the following steps:**

   1. Under the **Details** tab of your instance, view the status for **Allow tags in instance metadata**.

      If it is currently **Disabled**, use the following steps to change the status to **Enabled**. Otherwise, skip this step.

   1. Under the **Actions** menu, choose **Instance settings**.

   1. Choose **Allow tags in instance metadata**.

1. After you have added the exclusion tag, perform the same steps as specified in the **Configure for all instances** tab.

------

You can now assess the runtime [Runtime coverage and troubleshooting for Amazon EC2 instance](gdu-assess-coverage-ec2.md).

## Selective member accounts only


------
#### [ Configure for all instances ]

1. On the **Accounts** page, select one or more accounts for which you want to enable **Runtime Monitoring-Automated agent configuration (Amazon EC2)**. Make sure that the accounts that you select in this step already have Runtime Monitoring enabled.

1. From **Edit protection plans**, choose the appropriate option to enable **Runtime Monitoring-Automated agent configuration (Amazon EC2)**.

1. Choose **Confirm**.

------
#### [ Using inclusion tag in selected instances ]

**To configure GuardDuty security agent for selected instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`true` tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

   Adding this tag will permit GuardDuty to manage the security agent for your tagged Amazon EC2 instances. You don't need to explicitly enable automated agent configuration (**Runtime Monitoring - Automated agent configuration (EC2)**.

------
#### [ Using exclusion tag in selected instances ]

**Note**  
Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

**To configure GuardDuty security agent for selected instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`false` tag to the EC2 instances that you **don't** want GuardDuty to monitor or detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

1. 

**For the [exclusion tags to be available](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#general-runtime-monitoring-prereq-ec2) in the instance metadata, perform the following steps:**

   1. Under the **Details** tab of your instance, view the status for **Allow tags in instance metadata**.

      If it is currently **Disabled**, use the following steps to change the status to **Enabled**. Otherwise, skip this step.

   1. Under the **Actions** menu, choose **Instance settings**.

   1. Choose **Allow tags in instance metadata**.

1. After you have added the exclusion tag, perform the same steps as specified in the **Configure for all instances** tab.

------

You can now assess [Runtime coverage and troubleshooting for Amazon EC2 instance](gdu-assess-coverage-ec2.md).

# Enabling GuardDuty automated agent for Amazon EC2 resources in a standalone account
Enabling GuardDuty automated agent in a standalone account

A standalone account owns the decision to enable or disable a protection plan in their Amazon Web Services account in a specific Amazon Web Services Region. 

If your account is associated with a GuardDuty administrator account through Amazon Organizations, or by the method of invitation, this section doesn't apply to your account. For more information, see [Enabling Runtime Monitoring for multiple-account environments](enable-runtime-monitoring-multiple-acc-env.md).

After you enable Runtime Monitoring, ensure to install GuardDuty security agent through automated configuration or manual deployment. As a part of completing all the steps listed in the following procedure, make sure to install the security agent.

Based on your preference to monitor all or selective Amazon EC2 resources, choose a preferred method and follow the steps in the following table.

------
#### [ Configure for all instances ]

**To configure Runtime Monitoring for all instances in your standalone account**

1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/).

1. In the navigation pane, choose **Runtime Monitoring**.

1. Under the **Configuration** tab, choose **Edit**.

1. In the **EC2** section, choose **Enable**.

1. Choose **Save**.

1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent on all the EC2 resources belonging to your account.

   1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

   1. Open the **Targets** tab for the SSM association (`GuardDutyRuntimeMonitoring-do-not-delete`). Observe that the **Tag key** appears as **InstanceIds**. 

------
#### [ Using inclusion tag in selected instances ]

**To configure GuardDuty security agent for selected Amazon EC2 instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`true` tag to the instances that you want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

1. You can verify that the SSM association that GuardDuty creates will install and manage the security agent only on the EC2 resources that are tagged with the inclusion tags. 

   Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/).

   1. Open the **Targets** tab for the SSM association that gets created (`GuardDutyRuntimeMonitoring-do-not-delete`). The **Tag key** appears as **tag:GuardDutyManaged**.

------
#### [ Using exclusion tag in selected instances ]

**Note**  
Ensure that you add the exclusion tag to your Amazon EC2 instances before you launch them. Once you have enabled automated agent configuration for Amazon EC2, any EC2 instance that launches without an exclusion tag will be covered under GuardDuty automated agent configuration.

**To configure GuardDuty security agent for selected Amazon EC2 instances**

1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/).

1. Add the `GuardDutyManaged`:`false` tag to the instances that you **don't** want GuardDuty to monitor and detect potential threats. For information about adding this tag, see [To add a tag to an individual resource](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).

1. 

**For the [exclusion tags to be available](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#general-runtime-monitoring-prereq-ec2) in the instance metadata, perform the following steps:**

   1. Under the **Details** tab of your instance, view the status for **Allow tags in instance metadata**.

      If it is currently **Disabled**, use the following steps to change the status to **Enabled**. Otherwise, skip this step.

   1. Select the instance for which you want to allow tags.

   1. Under the **Actions** menu, choose **Instance settings**.

   1. Choose **Allow tags in instance metadata**.

   1. Under **Access to tags in instance metadata**, select **Allow**.

   1. Choose **Save**.

1. After you have added the exclusion tag perform the same steps as sepcified in the **Configure for all instances** tab.

------

You can now assess runtime [Runtime coverage and troubleshooting for Amazon EC2 instance](gdu-assess-coverage-ec2.md).

# Migrating from Amazon EC2 manual agent to automated agent


This section applies to your Amazon Web Services account if you were previously managing the security agent manually and now want to use the GuardDuty automated agent configuration. If this doesn't apply to you, continue with configuring the security agent for your account.

When you enable GuardDuty automated agent, GuardDuty manages the security agent on your behalf. For information about what steps does GuardDuty take, see [Use automated agent configuration (recommended)](how-runtime-monitoring-works-ec2.md#use-automated-agent-config-ec2).

## Clean up resources


**Delete SSM association**  
+ Delete any SSM association that you may have created when you were managing the security agent for Amazon EC2 manually. For more information, see [Deleting associations](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-state-manager-delete-association.html).
+ This is done so that GuardDuty can take over the management of SSM actions whether you use automated agents at the account level or instance level (by using inclusion or exclusion tags). For more information about what SSM actions can GuardDuty take, see [Service-linked role permissions for GuardDuty](slr-permissions.md).
+ When you delete an SSM association that was previously created for managing the security agent manually, there might be a brief period of overlap when GuardDuty creates an SSM association for managing the security agent automatically. During this period, you could experience conflicts based on SSM scheduling. For more information, see [Amazon EC2 SSM scheduling](https://docs.amazonaws.cn/systems-manager/latest/userguide/quick-setup-scheduler.html).

**Manage inclusion and exclusion tags for your Amazon EC2 instances**  
+ **Inclusion tags** – When you don't enable GuardDuty automated agent configuration but tag any of your Amazon EC2 instances with an inclusion tag (`GuardDutyManaged`:`true`), GuardDuty creates an SSM association that will install and manage the security agent on the selected EC2 instances. This is an expected behavior that helps you manage the security agent on selected EC2 instances only. For more information, see [How Runtime Monitoring works with Amazon EC2 instances](how-runtime-monitoring-works-ec2.md).

  To prevent GuardDuty from installing and managing the security agent, remove the inclusion tag from these EC2 instances. For more information, see [Add and delete tags](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags) in the *Amazon EC2 User Guide*.
+ **Exclusion tags** – When you want to enable GuardDuty automated agent configuration for all the EC2 instances in your account, make sure that no EC2 instance is tagged with an exclusion tag (`GuardDutyManaged`:`false`).