Managing automated security agent for Fargate (Amazon ECS only)
Runtime Monitoring supports managing the security agent for your Amazon ECS clusters (Amazon Fargate) only through GuardDuty. There is no support for managing the security agent manually on Amazon ECS clusters.
To enable GuardDuty to manage the security agent for your ECS-Fargate resources, follow the steps provided in the following sections.
Contents
Configuring GuardDuty agent for a standalone account
- Console
-
Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Under the Configuration tab:
-
To manage Automated agent configuration for all Amazon ECS clusters (account level)
Choose Enable in the Automated agent configuration section for Amazon Fargate (ECS only). When a new Fargate Amazon ECS task launches, GuardDuty will manage the deployment of the security agent.
-
Choose Save.
-
-
To manage Automated agent configuration by excluding some of the Amazon ECS clusters (cluster level)
-
Add a tag to the Amazon ECS cluster for which you want to exclude all of the tasks. The key-value pair must be
GuardDutyManaged-false. -
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] } -
Under the Configuration tab, choose Enable in the Automated agent configuration section.
Note
Always add the exclusion tag to your Amazon ECS cluster before enabling GuardDuty agent auto-management for your account; otherwise, the security agent will be deployed in all the tasks that are launched within the corresponding Amazon ECS cluster.
For the Amazon ECS clusters that have not been excluded, GuardDuty will manage the deployment of the security agent in the sidecar container.
-
Choose Save.
-
-
To manage Automated agent configuration by including some of the Amazon ECS clusters (cluster level)
-
Add a tag to an Amazon ECS cluster for which you want to include all of the tasks. The key-value pair must be
GuardDutyManaged-true. -
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
-
-
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
Configuring GuardDuty agent for multi-account environment
In a multiple-account environment, only the delegated GuardDuty administrator account can enable or disable automated agent configuration for the member accounts, and manage automated agent configuration for Amazon ECS clusters that belong to the member accounts in their organization. A GuardDuty member account can't modify this configuration. The delegated GuardDuty administrator account manages their member accounts using Amazon Organizations. For more information about multi-account environments, see Managing multiple accounts in GuardDuty.
Enabling automated agent configuration for delegated GuardDuty administrator account
- Manage for all Amazon ECS clusters (account level)
-
If you chose Enable for all accounts for Runtime Monitoring, then you have the following options:
-
Choose Enable for all accounts in the Automated agent configuration section. GuardDuty will deploy and manage the security agent for all the Amazon ECS tasks that get launched.
-
Choose Configure accounts manually.
If you chose Configure accounts manually in the Runtime Monitoring section, then do the following:
-
Choose Configure accounts manually in the Automated agent configuration section.
-
Choose Enable in the delegated GuardDuty administrator account (this account) section.
Choose Save.
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false. -
Prevent modification of tags, except by the trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] } Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Note
Always add the exclusion tag to your Amazon ECS clusters before enabling Automated agent configuration for your account; otherwise the GuardDuty sidecar container will be attached to all the containers in the Amazon ECS tasks that get launched.
Under the Configuration tab, choose Enable in the Automated agent configuration.
For the Amazon ECS clusters that have not been excluded, GuardDuty will manage the deployment of the security agent in the sidecar container.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
Add a tag to an Amazon ECS cluster for which you want to include all of the tasks. The key-value pair must be
GuardDutyManaged-true. -
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }Note
When using inclusion tags for your Amazon ECS clusters, you don't need to enable GuardDuty agent through automated agent congifuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
Auto-enable for all member accounts
- Manage for all Amazon ECS clusters (account level)
-
The following steps assume that you chose Enable for all accounts in the Runtime Monitoring section.
-
Choose Enable for all accounts in the Automated agent configuration section. GuardDuty will deploy and manage the security agent for all the Amazon ECS tasks that get launched.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false. -
Prevent modification of tags, except by the trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] } Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Note
Always add the exclusion tag to your Amazon ECS clusters before enabling Automated agent configuration for your account; otherwise the GuardDuty sidecar container will be attached to all the containers in the Amazon ECS tasks that get launched.
Under the Configuration tab, choose Edit.
-
Choose Enable for all accounts in the Automated agent configuration section
For the Amazon ECS clusters that have not been excluded, GuardDuty will manage the deployment of the security agent in the sidecar container.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for selective (inclusion-only) Amazon ECS clusters (cluster level)
-
Regardless of how you choose to enable Runtime Monitoring, the following steps will help you monitor selective Amazon ECS Fargate tasks for all of the member accounts in your organization.
-
Do not enable any configuration in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as you selected in the previous step.
-
Choose Save.
-
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }Note
When using inclusion tags for your Amazon ECS clusters, you don't need to enable GuardDuty agent auto-management explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
Enabling automated agent configuration for existing active member accounts
- Manage for all Amazon ECS clusters (account level)
-
-
On the Runtime Monitoring page, under the Configuration tab, you can view the current status of Automated agent configuration.
-
Within the Automated agent configuration pane, under the Active member accounts section, choose Actions.
-
From Actions, choose Enable for all existing active member accounts.
-
Choose Confirm.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false. -
Prevent modification of tags, except by the trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] } Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Note
Always add the exclusion tag to your Amazon ECS clusters before enabling Automated agent configuration for your account; otherwise the GuardDuty sidecar container will be attached to all the containers in the Amazon ECS tasks that get launched.
Under the Configuration tab, in the Automated agent configuration section, under Active member accounts, choose Actions.
-
From Actions, choose Enable for all active member accounts.
For the Amazon ECS clusters that have not been excluded, GuardDuty will manage the deployment of the security agent in the sidecar container.
-
Choose Confirm.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
Add a tag to an Amazon ECS cluster for which you want to include all of the tasks. The key-value pair must be
GuardDutyManaged-true. -
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }Note
When using inclusion tags for your Amazon ECS clusters, you don't need to enable Automated agent configuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
Auto-enable Automated agent configuration for new members
- Manage for all Amazon ECS clusters (account level)
-
-
On the Runtime Monitoring page, choose Edit to update the existing configuration.
-
In the Automated agent configuration section, select Automatically enable for new member accounts.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false. -
Prevent modification of tags, except by the trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] } Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Note
Always add the exclusion tag to your Amazon ECS clusters before enabling Automated agent configuration for your account; otherwise the GuardDuty sidecar container will be attached to all the containers in the Amazon ECS tasks that get launched.
Under the Configuration tab, select Automatically enable for new member accounts in the Automated agent configuration section.
For the Amazon ECS clusters that have not been excluded, GuardDuty will manage the deployment of the security agent in the sidecar container.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
Add a tag to an Amazon ECS cluster for which you want to include all of the tasks. The key-value pair must be
GuardDutyManaged-true. -
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }Note
When using inclusion tags for your Amazon ECS clusters, you don't need to enable Automated agent configuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
Enabling Automated agent configuration for active member accounts selectively
- Manage for all Amazon ECS (account level)
-
-
On the Accounts page, select the accounts for which you want to enable Runtime Monitoring-Automated agent configuration (ECS-Fargate). You can select multiple accounts. Make sure that the accounts that you select in this step are already enabled with Runtime Monitoring.
-
From Edit protection plans, choose the appropriate option to enable Runtime Monitoring-Automated agent configuration (ECS-Fargate).
-
Choose Confirm.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false. -
Prevent modification of tags, except by the trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] } Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Note
Always add the exclusion tag to your Amazon ECS clusters before enabling GuardDuty agent auto-management for your account; otherwise the GuardDuty sidecar container will be attached to all the containers in the Amazon ECS tasks that get launched.
On the Accounts page, select the accounts for which you want to enable Runtime Monitoring-Automated agent configuration (ECS-Fargate). You can select multiple accounts. Make sure that the accounts that you select in this step are already enabled with Runtime Monitoring.
For the Amazon ECS clusters that have not been excluded, GuardDuty will manage the deployment of the security agent in the sidecar container.
-
From Edit protection plans, choose the appropriate option to enable Runtime Monitoring-Automated agent configuration (ECS-Fargate).
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
Make sure you don't enable Automated agent configuration (or Runtime Monitoring-Automated agent configuration (ECS-Fargate)) for the selected accounts that have the Amazon ECS clusters that you want to monitor.
-
Add a tag to an Amazon ECS cluster for which you want to include all of the tasks. The key-value pair must be
GuardDutyManaged-true. -
Prevent modification of these tags, except by trusted entities. The policy provided in Prevent tags from being modified except by authorized principles in the Amazon Organizations User Guide has been modified to be applicable here.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }Note
When using inclusion tags for your Amazon ECS clusters, you don't need to enable Automated agent configuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring, you can either restart the service, or update the service by using
forceNewDeployment.For steps to update the service, see the following resources:
-
Updating an Amazon ECS service using the console in the Amazon Elastic Container Service Developer Guide.
-
UpdateService in the Amazon Elastic Container Service API Reference.
-
update-service
in the Amazon CLI Command Reference.
-
-