Managing security agent automatically for Amazon EKS clusters
Configuring Automated agent for standalone account
Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
-
Under the Configuration tab, choose Enable to enable automated agent configuration for your account.
Preferred approach to deploy GuardDuty security agent
Steps
Manage security agent through GuardDuty
(Monitor all EKS clusters)
-
Choose Enable in the Automated agent configuration section. GuardDuty will manage the deployment of and updates to the security agent for all the existing and potentially new EKS clusters in your account.
-
Choose Save.
Monitor all EKS clusters but exclude some of them (using exclusion tag)
From the following procedures, choose one of the scenarios that is applicable to you.
To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster
-
Add a tag to this EKS cluster with the key as
GuardDutyManaged
and its value asfalse
.For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.
To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the Amazon Web Services account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
Note
Always add the exclusion tag to your EKS clusters before enabling GuardDuty agent auto-management for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.
-
Under the Configuration tab, choose Enable in the GuardDuty agent management section.
For the EKS clusters that have not been excluded from monitoring, GuardDuty will manage the deployment of and updates to the GuardDuty security agent.
-
Choose Save.
To exclude an EKS cluster from monitoring after the GuardDuty security agent has already been deployed on this cluster
-
Add a tag to this EKS cluster with the key as
GuardDutyManaged
and its value asfalse
.For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.
After this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.
To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the Amazon Web Services account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]
-
-
To stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources.
Monitor selective EKS clusters using inclusion tags
-
Make sure to choose Disable in the Automated agent configuration section. Keep Runtime Monitoring enabled.
-
Choose Save
-
Add a tag to this EKS cluster with the key as
GuardDutyManaged
and its value astrue
.For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.
GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.
To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the Amazon Web Services account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]
-
Manage agent manually
-
Make sure to choose Disable in the Automated agent configuration section. Keep Runtime Monitoring enabled.
-
Choose Save.
-
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
Configuring Automated agent for multi-account environments
In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable Automated agent configuration for the member accounts, and manage Automated agent for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using Amazon Organizations. For more information about multi-account environments, see Managing multiple accounts.
Configuring Automated agent configuration for delegated GuardDuty administrator account
Preferred approach to manage GuardDuty security agent |
Steps |
---|---|
Manage security agent through GuardDuty (Monitor all EKS clusters) |
If you chose Enable for all accounts in the Runtime Monitoring section, then you have the following options:
If you chose Configure accounts manually in the Runtime Monitoring section, then do the following:
Choose Save. |
Monitor all EKS clusters but exclude some of them (using exclusion tags) |
From the following procedures, choose one of the scenarios that apply to you. To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster
To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster
|
Monitor selective EKS clusters using inclusion tags |
Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters in your account:
|
Manage the GuardDuty security agent manually |
Regardless of how you chose to enable Runtime Monitoring, you can manage the security agent manually for your EKS clusters.
|
Auto-enable Automated agent for all member accounts
Note
It may take up to 24 hours to update the configuration for the member accounts.
Preferred approach to manage GuardDuty security agent |
Steps |
---|---|
Manage security agent through GuardDuty (Monitor all EKS clusters) |
This topic is to enable Runtime Monitoring for all member accounts and therefore, the following steps assume that you must have chosen Enable for all accounts in the Runtime Monitoring section.
|
Monitor all EKS clusters but exclude some of them (using exclusion tags) |
From the following procedures, choose one of the scenarios that apply to you. To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster
To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster
|
Monitor selective EKS clusters using inclusion tags |
Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters for all member accounts in your organization:
|
Manage the GuardDuty security agent manually |
Regardless of how you chose to enable Runtime Monitoring, you can manage the security agent manually for your EKS clusters.
|
Enabling automated agent for all existing active member accounts
Note
It may take up to 24 hours to update the configuration for the member accounts.
To manage GuardDuty security agent for existing active member accounts in your organization
-
For GuardDuty to receive the runtime events from the EKS clusters that belong to the existing active member accounts in the organization, you must choose a preferred approach to manage the GuardDuty security agent for these EKS clusters. For more information about each of these approaches, see Approaches to manage GuardDuty security agent.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty
(Monitor all EKS clusters)
To monitor all EKS clusters for all existing active member accounts
-
On the Runtime Monitoring page, under the Configuration tab, you can view the current status of Automated agent configuration.
-
Within the Automated agent configuration pane, under the Active member accounts section, choose Actions.
-
From Actions, choose Enable for all existing active member accounts.
-
Choose Confirm.
Monitor all EKS clusters but exclude some of them (using exclusion tag)
From the following procedures, choose one of the scenarios that apply to you.
To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster
-
Add a tag to this EKS cluster with the key as
GuardDutyManaged
and its value asfalse
.For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.
To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the Amazon Web Services account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/
. -
In the navigation pane, choose Runtime Monitoring.
Note
Always add the exclusion tag to your EKS clusters before enabling Automated agent configuration for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.
-
Under the Configuration tab, in the Automated agent configuration pane, under Active member accounts, choose Actions.
-
From Actions, choose Enable for all active member accounts.
-
Choose Confirm.
To exclude an EKS cluster from monitoring after the GuardDuty security agent has already been deployed on this cluster
-
Add a tag to this EKS cluster with the key as
GuardDutyManaged
and its value asfalse
.For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.
After this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.
To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the Amazon Web Services account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]
-
-
Regardless of how you manage the security agent (through GuardDuty or manually), to stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources.
Monitor selective EKS clusters using inclusion tags
-
On the Accounts page, after you enable Runtime Monitoring, do not enable Runtime Monitoring - Automated agent configuration.
-
Add a tag to the EKS cluster that belongs to the selected account that you want to monitor. The key-value pair of the tag must be
GuardDutyManaged
-true
.For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.
GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.
To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the Amazon Web Services account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]
-
Manage the GuardDuty security agent manually
-
Make sure you don't choose Enable in the Automated agent configuration section. Keep Runtime Monitoring enabled.
-
Choose Save.
-
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
Auto-enable automated agent configuration for new members
Preferred approach to manage GuardDuty security agent |
Steps |
---|---|
Manage security agent through GuardDuty (Monitor all EKS clusters) |
|
Monitor all EKS clusters but exclude some of them (using exclusion tags) |
From the following procedures, choose one of the scenarios that apply to you. To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster
To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster
|
Monitor selective EKS clusters using inclusion tags |
Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters for the new member accounts in your organization.
|
Manage the GuardDuty security agent manually |
Regardless of how you chose to enable Runtime Monitoring, you can manage the security agent manually for your EKS clusters.
|
Configuring Automated agent for active member accounts selectively
Preferred approach to manage GuardDuty security agent |
Steps |
---|---|
Manage security agent through GuardDuty (Monitor all EKS clusters) |
|
Monitor all EKS clusters but exclude some of them (using exclusion tags) |
From the following procedures, choose one of the scenarios that apply to you. To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster
To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster
|
Monitor selective EKS clusters using inclusion tags |
Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters that belong to the selected accounts:
|
Manage the GuardDuty security agent manually |
|