# Managing security agent manually for Amazon EC2 resource Manual agent management for Amazon EC2 resource This section provides the steps to manually install and update the security agent for your Amazon EC2 resources. After you enable Runtime Monitoring, you will need to install the GuardDuty security agent manually. To manage the GuardDuty security agent manually, you must first create an Amazon VPC endpoint manually. After this, you can install the security agent so that GuardDuty will start receiving the runtime events from the Amazon EC2 instances. When GuardDuty releases a new agent version for this resource, you can update the agent version in your account. The following topics include the steps to continuously manage the security agent for your Amazon EC2 resources. **Topics** + [ # Prerequisite – Creating Amazon VPC endpoint manually ](creating-vpc-endpoint-ec2-agent-manually.md) + [ # Installing the security agent manually ](installing-gdu-security-agent-ec2-manually.md) + [ # Updating the GuardDuty security agent for Amazon EC2 instance manually ](gdu-update-security-agent-ec2.md) # Prerequisite – Creating Amazon VPC endpoint manually Before you can install the GuardDuty security agent, you must create an Amazon Virtual Private Cloud (Amazon VPC) endpoint. This will help GuardDuty receive the runtime events of your Amazon EC2 instances. **Note** There is no additional cost for the usage of the VPC endpoint. **To create a Amazon VPC endpoint** 1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/). 1. In the navigation pane, under **VPC private cloud**, choose **Endpoints**. 1. Choose **Create Endpoint**. 1. On the **Create endpoint** page, for **Service category**, choose **Other endpoint services**. 1. For **Service name**, enter **com.amazonaws.*us-east-1*.guardduty-data**. Make sure to replace *us-east-1* with your Amazon Web Services Region. This must be the same Region as the Amazon EC2 instance that belongs to your Amazon account ID. 1. Choose **Verify service**. 1. After the service name is successfully verified, choose the **VPC** where your instance resides. Add the following policy to restrict Amazon VPC endpoint usage to the specified account only. With the organization `Condition` provided below this policy, you can update the following policy to restrict access to your endpoint. To provide the Amazon VPC endpoint support to specific account IDs in your organization, see [Organization condition to restrict access to your endpoint](#gdu-runtime-ec2-organization-restrict-access-vpc-endpoint). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Allow", "Principal": "*" }, { "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "111122223333" } }, "Action": "*", "Resource": "*", "Effect": "Deny", "Principal": "*" } ] } ``` ------ The `aws:PrincipalAccount` account ID must match the account containing the VPC and VPC endpoint. The following list shows how to share the VPC endpoint with other Amazon account IDs: + To specify multiple accounts to access the VPC endpoint, replace `"aws:PrincipalAccount: "111122223333"` with the following block: ``` "aws:PrincipalAccount": [ "666666666666", "555555555555" ] ``` Make sure to replace the Amazon account IDs with the account IDs of those accounts that need to access the VPC endpoint. + To allow all the members from an organization to access the VPC endpoint, replace `"aws:PrincipalAccount: "111122223333"` with the following line: ``` "aws:PrincipalOrgID": "o-abcdef0123" ``` Make sure to replace the organization *o-abcdef0123* with your organization ID. + To restrict accessing a resource by an organization ID, add your `ResourceOrgID` to the policy. For more information, see [https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid) in the *IAM User Guide*. ``` "aws:ResourceOrgID": "o-abcdef0123" ``` 1. Under **Additional settings**, choose **Enable DNS name**. 1. Under **Subnets**, choose the subnets in which your instance resides. 1. Under **Security groups**, choose a security group that has the in-bound port 443 enabled from your VPC (or your Amazon EC2 instance). If you don't already have a security group that has an in-bound port 443 enabled, see [Create a security group for your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/creating-security-groups.html) in the *Amazon VPC User Guide*. If there is an issue while restricting the in-bound permissions to your VPC (or instance), you can the in-bound 443 port from any IP address `(0.0.0.0/0)`. However, GuardDuty recommends using IP addresses that matches the CIDR block for your VPC. For more information, see [VPC CIDR blocks](https://docs.amazonaws.cn//vpc/latest/userguide/vpc-cidr-blocks.html) in the *Amazon VPC User Guide*. After you have followed the steps, see [Validating VPC endpoint configuration](validate-vpc-endpoint-config-runtime-monitoring.md) to ensure that the VPC endpoint was set up correctly. # Installing the security agent manually GuardDuty provides the following two methods to install the GuardDuty security agent on your Amazon EC2 instances. Before proceeding, make sure to follow the steps under [Prerequisite – Creating Amazon VPC endpoint manually](creating-vpc-endpoint-ec2-agent-manually.md). Choose a preferred access method to install the security agent in your Amazon EC2 resources. + [Method 1 - Using Amazon Systems Manager](#install-gdu-by-using-sys-runtime-monitoring) – This method requires your Amazon EC2 instance to be Amazon Systems Manager managed. + [Method 2 - Using Linux Package Managers](#install-gdu-by-rpm-scripts-runtime-monitoring) – You can use this method whether or not your Amazon EC2 instances are Amazon Systems Manager managed. Based on your [OS distributions](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#validating-architecture-req-ec2), you can choose an appropriate method to install either RPM scripts or Debian scripts. If you use *Fedora* platform, then you must use this method to install the agent. ## Method 1 - Using Amazon Systems Manager To use this method, make sure that your Amazon EC2 instances are Amazon Systems Manager managed and then install the agent. ### Amazon Systems Manager managed Amazon EC2 instance Use the following steps to make your Amazon EC2 instances Amazon Systems Manager managed. + [Amazon Systems Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/what-is-systems-manager.html) helps you manage your Amazon applications and resources end-to-end and enable secure operations at scale. To manage your Amazon EC2 instances with Amazon Systems Manager, see [Setting up Systems Manager for Amazon EC2 instances](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-setting-up-ec2.html) in the *Amazon Systems Manager User Guide*. + The following table shows the new GuardDuty managed Amazon Systems Manager documents: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/installing-gdu-security-agent-ec2-manually.html) For more information about Amazon Systems Manager, see [Amazon EC2 Systems Manager Documents](https://docs.amazonaws.cn/systems-manager/latest/userguide/documents.html) in the *Amazon Systems Manager User Guide*. **For Debian Servers** The Amazon Machine Images (AMIs) for Debian Server provided by Amazon require you to install the Amazon Systems Manager agent (SSM agent). You will need to perform an additional step to install the SSM agent to make your Amazon EC2 Debian Server instances SSM managed. For information about steps that you need to take, see [Manually installing SSM agent on Debian Server instances](https://docs.amazonaws.cn/systems-manager/latest/userguide/agent-install-deb.html) in the *Amazon Systems Manager User Guide*. **To install the GuardDuty agent for Amazon EC2 instance by using Amazon Systems Manager** 1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/). 1. In the navigation pane, choose **Documents** 1. In **Owned by Amazon**, choose `AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin`. 1. Choose **Run Command**. 1. Enter the following Run Command parameters + Action: Choose **Install**. + Installation Type: Choose **Install or Uninstall.** + Name: `AmazonGuardDuty-RuntimeMonitoringSsmPlugin` + Version: If this remains empty, you'll get latest version of the GuardDuty security agent. For more information about the release versions, [GuardDuty security agent versions for Amazon EC2 instances](runtime-monitoring-agent-release-history.md#ec2-gdu-agent-release-history). 1. Select the targeted Amazon EC2 instance. You can select one or more Amazon EC2 instances. For more information, see [Amazon Systems Manager Running commands from the console](https://docs.amazonaws.cn/systems-manager/latest/userguide/running-commands-console.html) in the *Amazon Systems Manager User Guide* 1. Validate if the GuardDuty agent installation is healthy. For more information, see [Validating GuardDuty security agent installation status](#validate-ec2-gdu-agent-installation-healthy). ## Method 2 - Using Linux Package Managers With this method, you can install the GuardDuty security agent by running RPM scripts or Debian scripts. Based on the operating systems, you can choose a preferred method: + Use RPM scripts to install the security agent on OS distributions AL2, AL2023, RedHat, CentOS, or Fedora. + Use Debian scripts to install the security agent on OS distributions Ubuntu or Debian. For information about supported Ubuntu and Debian OS distributions, see [Validate architectural requirements](prereq-runtime-monitoring-ec2-support.md#validating-architecture-req-ec2). ------ #### [ RPM installation ] **Important** We recommend verifying the GuardDuty security agent RPM signature before installing it on your machine. 1. Verify the GuardDuty security agent RPM signature 1. **Prepare the template** Prepare the commands with appropriate public key, signature of x86\$164 RPM, signature of arm64 RPM, and the corresponding access link to the RPM scripts hosted in Amazon S3 buckets. Replace the value of the Amazon Web Services Region, Amazon account ID, and the GuardDuty agent version to access the RPM scripts. + **Public key**: ``` s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/publickey.pem ``` + **GuardDuty security agent RPM signature**: Signature of x86\$164 RPM ``` s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/x86_64/amazon-guardduty-agent-1.9.2.x86_64.sig ``` Signature of arm64 RPM ``` s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/arm64/amazon-guardduty-agent-1.9.2.arm64.sig ``` + **Access links to the RPM scripts in Amazon S3 bucket**: Access link for x86\$164 RPM ``` s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/x86_64/amazon-guardduty-agent-1.9.2.x86_64.rpm ``` Access link for arm64 RPM ``` s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/arm64/amazon-guardduty-agent-1.9.2.arm64.rpm ``` [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/installing-gdu-security-agent-ec2-manually.html) 1. **Download the template** In the following command to download appropriate public key, signature of x86\$164 RPM, signature of arm64 RPM, and the corresponding access link to the RPM scripts hosted in Amazon S3 buckets, make sure to replace the account ID with the appropriate Amazon Web Services account ID and the Region with your current Region. ``` aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/x86_64/amazon-guardduty-agent-1.9.2.x86_64.rpm ./amazon-guardduty-agent-1.9.2.x86_64.rpm aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/x86_64/amazon-guardduty-agent-1.9.2.x86_64.sig ./amazon-guardduty-agent-1.9.2.x86_64.sig aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.9.2/publickey.pem ./publickey.pem ``` 1. **Import the public key** Use the following command to import the public key to the database: ``` gpg --import publickey.pem ``` gpg shows import successfully ``` gpg: key 093FF49D: public key "AwsGuardDuty" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` 1. **Verify the signature** Use the following command to verify the signature ``` gpg --verify amazon-guardduty-agent-1.9.2.x86_64.sig amazon-guardduty-agent-1.9.2.x86_64.rpm ``` If verification passes, you will see a message similar to the result below. You can now proceed to install the GuardDuty security agent using RPM. Example output: ``` gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D gpg: Good signature from "AwsGuardDuty" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7478 91EF 5378 1334 4456 7603 06C9 06A7 093F F49D ``` If verification fails, it means the signature on RPM has been potentially tampered. You must remove the public key from the database and retry the verification process. Example: ``` gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D gpg: BAD signature from "AwsGuardDuty" ``` Use the following command to remove the public key from the database: ``` gpg --delete-keys AwsGuardDuty ``` Now, try the verification process again. 1. [Connect with SSH from Linux or macOS](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/connect-linux-inst-ssh.html). 1. Install the GuardDuty security agent by using the following command: ``` sudo rpm -ivh amazon-guardduty-agent-1.9.2.x86_64.rpm ``` 1. Validate if the GuardDuty agent installation is healthy. For more information about the steps, see [Validating GuardDuty security agent installation status](#validate-ec2-gdu-agent-installation-healthy). ------ #### [ Debian installation ] **Important** We recommend verifying the GuardDuty security agent Debian signature before installing it on your machine. 1. Verify the GuardDuty security agent Debian signature 1. **Prepare templates for the appropriate public key, signature of amd64 Debian package, signature of arm64 Debian package, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets** In the following templates, replace the value of the Amazon Web Services Region, Amazon account ID, and the GuardDuty agent version to access the Debian package scripts. + **Public key**: ``` s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/publickey.pem ``` + **GuardDuty security agent Debian signature**: Signature of amd64 ``` s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/amd64/amazon-guardduty-agent-1.9.2.amd64.sig ``` Signature of arm64 ``` s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/arm64/amazon-guardduty-agent-1.9.2.arm64.sig ``` + **Access links to the Debian scripts in Amazon S3 bucket**: Access link for amd64 ``` s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/amd64/amazon-guardduty-agent-1.9.2.amd64.deb ``` Access link for arm64 ``` s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/arm64/amazon-guardduty-agent-1.9.2.arm64.deb ``` [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/installing-gdu-security-agent-ec2-manually.html) 1. **Download the appropriate public key, signature of amd64, signature of arm64, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets** In the following commands, replace the account ID with the appropriate Amazon Web Services account ID, and the Region with your current Region. ``` aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/amd64/amazon-guardduty-agent-1.9.2.amd64.deb ./amazon-guardduty-agent-1.9.2.amd64.deb aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/amd64/amazon-guardduty-agent-1.9.2.amd64.sig ./amazon-guardduty-agent-1.9.2.amd64.sig aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.9.2/publickey.pem ./publickey.pem ``` 1. Import the public key to the database ``` gpg --import publickey.pem ``` gpg shows import successfully ``` gpg: key 093FF49D: public key "AwsGuardDuty" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` 1. Verify the signature ``` gpg --verify amazon-guardduty-agent-1.9.2.amd64.sig amazon-guardduty-agent-1.9.2.amd64.deb ``` After a successful verification, you will see a message similar to the following result: Example output: ``` gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D gpg: Good signature from "AwsGuardDuty" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7478 91EF 5378 1334 4456 7603 06C9 06A7 093F F49D ``` You can now proceed to install the GuardDuty security agent using Debian. However, if verification fails, it means the signature in Debian package has been potentially tampered. Example: ``` gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D gpg: BAD signature from "AwsGuardDuty" ``` Use the following command to remove the public key from the database: ``` gpg --delete-keys AwsGuardDuty ``` Now, retry the verification process. 1. [Connect with SSH from Linux or macOS](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/connect-linux-inst-ssh.html). 1. Install the GuardDuty security agent by using the following command: ``` sudo dpkg -i amazon-guardduty-agent-1.9.2.amd64.deb ``` 1. Validate if the GuardDuty agent installation is healthy. For more information about the steps, see [Validating GuardDuty security agent installation status](#validate-ec2-gdu-agent-installation-healthy). ------ ## Out of memory error If you experience an `out-of-memory` error while installing or updating the GuardDuty security agent for Amazon EC2 manually, see [Troubleshooting out of memory error](troubleshooting-guardduty-runtime-monitoring.md#troubleshoot-ec2-cpu-out-of-memory-error). ## Validating GuardDuty security agent installation status After you have performed the steps to install the GuardDuty security agent, use the following steps to validate the status of the agent: **To validate if the GuardDuty security agent is healthy** 1. [Connect with SSH from Linux or macOS](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/connect-linux-inst-ssh.html). 1. Run the following command to check the status of the GuardDuty security agent: ``` sudo systemctl status amazon-guardduty-agent ``` If you want to view the security agent installation logs, they are available under `/var/log/amzn-guardduty-agent/`. To view the logs, do `sudo journalctl -u amazon-guardduty-agent`. # Updating the GuardDuty security agent for Amazon EC2 instance manually Updating security agent manually GuardDuty releases updates to the security agent versions. When you manage the security agent manually, you're responsible to update the agent for your Amazon EC2 instances. For information about new agent versions, see [GuardDuty security agent release versions](runtime-monitoring-agent-release-history.md) for Amazon EC2 instances. To receive notifications about a new agent version release, see [Subscribing to Amazon SNS GuardDuty announcements](guardduty_sns.md). **To update the security agent for Amazon EC2 instance manually** The process to update the security agent is the same as installing the security agent. Depending on the method that you used to install the agent, you can perform the steps in [Installing the security agent manually](installing-gdu-security-agent-ec2-manually.md) for Amazon EC2 instances. If you use [Method 1 - By using Amazon Systems Manager](https://docs.amazonaws.cn/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html#manage-ssm-ec2-instance-runtime-monitoring), then you can update the security agent by using the **Run command**. Use the agent version to which you want to update. If you use [Method 2 - By using Linux Package Managers](https://docs.amazonaws.cn/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html#heading:r2l:), you can use the scripts as specified in the [Installing the security agent manually](installing-gdu-security-agent-ec2-manually.md) section. The scripts already include the latest agent release version. For information about recently released agent versions, see [GuardDuty security agent versions for Amazon EC2 instances](runtime-monitoring-agent-release-history.md#ec2-gdu-agent-release-history). After you update the security agent, you can check the installation status by looking at the logs. For more information, see [Validating GuardDuty security agent installation status](installing-gdu-security-agent-ec2-manually.md#validate-ec2-gdu-agent-installation-healthy).