Managing security agent automatically for Amazon EKS clusters - Amazon GuardDuty
Configuring Automated agent for standalone accountConfiguring Automated agent for multi-account environments
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing security agent automatically for Amazon EKS clusters

Configuring Automated agent for standalone account

  1. Sign in to the Amazon Web Services Management Console and open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, choose Runtime Monitoring.

  3. Under the Configuration tab, choose Enable to enable automated agent configuration for your account.

    Preferred approach to deploy GuardDuty security agent

    Steps

    Manage security agent through GuardDuty

    (Monitor all EKS clusters)

    1. Choose Enable in the Automated agent configuration section. GuardDuty will manage the deployment of and updates to the security agent for all the existing and potentially new EKS clusters in your account.

    2. Choose Save.

    Monitor all EKS clusters but exclude some of them (using exclusion tag)

    From the following procedures, choose one of the scenarios that is applicable to you.

    To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster

    1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

      For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

      • Replace ec2:CreateTags with eks:TagResource.

      • Replace ec2:DeleteTags with eks:UntagResource.

      • Replace access-project with GuardDutyManaged

      • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

        When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

        "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

    3. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    4. In the navigation pane, choose Runtime Monitoring.

      Note

      Always add the exclusion tag to your EKS clusters before enabling GuardDuty agent auto-management for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    5. Under the Configuration tab, choose Enable in the GuardDuty agent management section.

      For the EKS clusters that have not been excluded from monitoring, GuardDuty will manage the deployment of and updates to the GuardDuty security agent.

    6. Choose Save.

    To exclude an EKS cluster from monitoring after the GuardDuty security agent has already been deployed on this cluster

    1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

      For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

      After this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.

    2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

      • Replace ec2:CreateTags with eks:TagResource.

      • Replace ec2:DeleteTags with eks:UntagResource.

      • Replace access-project with GuardDutyManaged

      • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

        When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

        "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

    3. To stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources.

    Monitor selective EKS clusters using inclusion tags

    1. Make sure to choose Disable in the Automated agent configuration section. Keep Runtime Monitoring enabled.

    2. Choose Save

    3. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as true.

      For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

      GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.

    4. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

      • Replace ec2:CreateTags with eks:TagResource.

      • Replace ec2:DeleteTags with eks:UntagResource.

      • Replace access-project with GuardDutyManaged

      • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

        When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

        "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

    Manage agent manually

    1. Make sure to choose Disable in the Automated agent configuration section. Keep Runtime Monitoring enabled.

    2. Choose Save.

    3. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Configuring Automated agent for multi-account environments

In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable Automated agent configuration for the member accounts, and manage Automated agent for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using Amazon Organizations. For more information about multi-account environments, see Managing multiple accounts.

Configuring Automated agent configuration for delegated GuardDuty administrator account

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty

(Monitor all EKS clusters)

If you chose Enable for all accounts in the Runtime Monitoring section, then you have the following options:

  • Choose Enable for all accounts in the Automated agent configuration section. GuardDuty will deploy and manage the security agent for all the EKS clusters that belong to the delegated GuardDuty administrator account account and also for all the EKS clusters that belong to all the existing and potentially new member accounts in the organization.

  • Choose Configure accounts manually.

If you chose Configure accounts manually in the Runtime Monitoring section, then do the following:

  1. Choose Configure accounts manually in the Automated agent configuration section.

  2. Choose Enable in the delegated GuardDuty administrator account (this account) section.

Choose Save.

Monitor all EKS clusters but exclude some of them (using exclusion tags)

From the following procedures, choose one of the scenarios that apply to you.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  4. In the navigation pane, choose Runtime Monitoring.

    Note

    Always add the exclusion tag to your EKS clusters before enabling GuardDuty agent auto-management for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

  5. Under the Configuration tab, choose Enable in the GuardDuty agent management section.

    For the EKS clusters that have not been excluded from monitoring, GuardDuty will manage the deployment of and updates to the GuardDuty security agent.

  6. Choose Save.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. If you had automated agent enabled for this EKS cluster, then after this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.

    To stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources

  4. If you were managing the GuardDuty security agent for this EKS cluster manually, then see Impact of disabling and cleaning up resources.

Monitor selective EKS clusters using inclusion tags

Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters in your account:

  1. Make sure to choose Disable for delegated GuardDuty administrator account (this account) in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as configured in the previous step.

  2. Choose Save.

  3. Add a tag to your EKS cluster with the key as GuardDutyManaged and its value as true.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.

  4. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

Manage the GuardDuty security agent manually

Regardless of how you chose to enable Runtime Monitoring, you can manage the security agent manually for your EKS clusters.

  1. Make sure to choose Disable for delegated GuardDuty administrator account (this account) in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as configured in the previous step.

  2. Choose Save.

  3. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Auto-enable Automated agent for all member accounts

Note

It may take up to 24 hours to update the configuration for the member accounts.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty

(Monitor all EKS clusters)

This topic is to enable Runtime Monitoring for all member accounts and therefore, the following steps assume that you must have chosen Enable for all accounts in the Runtime Monitoring section.

  1. Choose Enable for all accounts in the Automated agent configuration section. GuardDuty will deploy and manage the security agent for all the EKS clusters that belong to the delegated GuardDuty administrator account account and also for all the EKS clusters that belong to all the existing and potentially new member accounts in the organization.

  2. Choose Save.

Monitor all EKS clusters but exclude some of them (using exclusion tags)

From the following procedures, choose one of the scenarios that apply to you.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  4. In the navigation pane, choose Runtime Monitoring.

    Note

    Always add the exclusion tag to your EKS clusters before enabling Automated agent for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

  5. Under the Configuration tab, choose Edit in the Runtime Monitoring configuration section.

  6. Choose Enable for all accounts in the Automated agent configuration section. For the EKS clusters that have not been excluded from monitoring, GuardDuty will manage the deployment of and updates to the GuardDuty security agent.

  7. Choose Save.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

  2. If you had Automated agent configuration enabled for this EKS cluster, then after this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.

    To stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources

  3. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  4. If you were managing the GuardDuty security agent for this EKS cluster manually, then see Impact of disabling and cleaning up resources.

Monitor selective EKS clusters using inclusion tags

Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters for all member accounts in your organization:

  1. Do not enable any configuration in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as configured in the previous step.

  2. Choose Save.

  3. Add a tag to your EKS cluster with the key as GuardDutyManaged and its value as true.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.

  4. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

Manage the GuardDuty security agent manually

Regardless of how you chose to enable Runtime Monitoring, you can manage the security agent manually for your EKS clusters.

  1. Do not enable any configuration in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as configured in the previous step.

  2. Choose Save.

  3. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Enabling automated agent for all existing active member accounts

Note

It may take up to 24 hours to update the configuration for the member accounts.

To manage GuardDuty security agent for existing active member accounts in your organization

  • For GuardDuty to receive the runtime events from the EKS clusters that belong to the existing active member accounts in the organization, you must choose a preferred approach to manage the GuardDuty security agent for these EKS clusters. For more information about each of these approaches, see Approaches to manage GuardDuty security agent.

    Preferred approach to manage GuardDuty security agent

    Steps

    Manage security agent through GuardDuty

    (Monitor all EKS clusters)
    To monitor all EKS clusters for all existing active member accounts

    1. On the Runtime Monitoring page, under the Configuration tab, you can view the current status of Automated agent configuration.

    2. Within the Automated agent configuration pane, under the Active member accounts section, choose Actions.

    3. From Actions, choose Enable for all existing active member accounts.

    4. Choose Confirm.

    Monitor all EKS clusters but exclude some of them (using exclusion tag)

    From the following procedures, choose one of the scenarios that apply to you.

    To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster

    1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

      For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

      • Replace ec2:CreateTags with eks:TagResource.

      • Replace ec2:DeleteTags with eks:UntagResource.

      • Replace access-project with GuardDutyManaged

      • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

        When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

        "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

    3. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    4. In the navigation pane, choose Runtime Monitoring.

      Note

      Always add the exclusion tag to your EKS clusters before enabling Automated agent configuration for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    5. Under the Configuration tab, in the Automated agent configuration pane, under Active member accounts, choose Actions.

    6. From Actions, choose Enable for all active member accounts.

    7. Choose Confirm.

    To exclude an EKS cluster from monitoring after the GuardDuty security agent has already been deployed on this cluster

    1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

      For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

      After this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.

    2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

      • Replace ec2:CreateTags with eks:TagResource.

      • Replace ec2:DeleteTags with eks:UntagResource.

      • Replace access-project with GuardDutyManaged

      • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

        When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

        "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

    3. Regardless of how you manage the security agent (through GuardDuty or manually), to stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources.

    Monitor selective EKS clusters using inclusion tags

    1. On the Accounts page, after you enable Runtime Monitoring, do not enable Runtime Monitoring - Automated agent configuration.

    2. Add a tag to the EKS cluster that belongs to the selected account that you want to monitor. The key-value pair of the tag must be GuardDutyManaged-true.

      For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

      GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.

    3. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

      • Replace ec2:CreateTags with eks:TagResource.

      • Replace ec2:DeleteTags with eks:UntagResource.

      • Replace access-project with GuardDutyManaged

      • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

        When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

        "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

    Manage the GuardDuty security agent manually

    1. Make sure you don't choose Enable in the Automated agent configuration section. Keep Runtime Monitoring enabled.

    2. Choose Save.

    3. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Auto-enable automated agent configuration for new members

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty

(Monitor all EKS clusters)

  1. On the Runtime Monitoring page, choose Edit to update the existing configuration.

  2. In the Automated agent configuration section, select Automatically enable for new member accounts.

  3. Choose Save.

Monitor all EKS clusters but exclude some of them (using exclusion tags)

From the following procedures, choose one of the scenarios that apply to you.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  4. In the navigation pane, choose Runtime Monitoring.

    Note

    Always add the exclusion tag to your EKS clusters before enabling Automated agent configuration for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

  5. Under the Configuration tab, select Automatically enable for new member accounts in the GuardDuty agent management section.

    For the EKS clusters that have not been excluded from monitoring, GuardDuty will manage the deployment of and updates to the GuardDuty security agent.

  6. Choose Save.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster

  1. Regardless of whether you manage the GuardDuty security agent through GuardDuty or manually, add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    If you had Automated agent enabled for this EKS cluster, then after this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.

    To stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. If you were managing the GuardDuty security agent for this EKS cluster manually, then see Impact of disabling and cleaning up resources.

Monitor selective EKS clusters using inclusion tags

Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters for the new member accounts in your organization.

  1. Make sure to clear Automatically enable for new member accounts in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as configured in the previous step.

  2. Choose Save.

  3. Add a tag to your EKS cluster with the key as GuardDutyManaged and its value as true.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.

  4. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

Manage the GuardDuty security agent manually

Regardless of how you chose to enable Runtime Monitoring, you can manage the security agent manually for your EKS clusters.

  1. Make sure clear the checkbox Automatically enable for new member accounts in the Automated agent configuration section. Keep the Runtime Monitoring configuration the same as configured in the previous step.

  2. Choose Save.

  3. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Configuring Automated agent for active member accounts selectively

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty

(Monitor all EKS clusters)

  1. On the Accounts page, select the accounts for which you want to enable Automated agent configuration. You can select more than one account at a time. Make sure that the accounts you select in this step already have EKS Runtime Monitoring enabled.

  2. From Edit Protection plans choose the appropriate option to enable Runtime Monitoring - Automated agent configuration.

  3. Choose Confirm.

Monitor all EKS clusters but exclude some of them (using exclusion tags)

From the following procedures, choose one of the scenarios that apply to you.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has not been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Note

    Always add the exclusion tag to your EKS clusters before enabling Automated agent configuration for your account; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

  4. On the Accounts page, select the account for which you want to enable Manage agent automatically. You can select more than one account at a time.

  5. From Edit protection plans, choose the appropriate option to enable Runtime Monitoring-Automated agent configuration for the selected account.

    For the EKS clusters that have not been excluded from monitoring, GuardDuty will manage the deployment of and updates to the GuardDuty security agent.

  6. Choose Save.

To exclude an EKS cluster from monitoring when the GuardDuty security agent has been deployed on this cluster

  1. Add a tag to this EKS cluster with the key as GuardDutyManaged and its value as false.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    If you had previously Automated agent configuration enabled for this EKS cluster, then after this step, GuardDuty will not update the security agent for this cluster. However, the security agent will remain deployed and GuardDuty will keep on receiving the runtime events from this EKS cluster. This may impact your usage statistics.

    To stop receiving the runtime events from this cluster, you must remove the deployed security agent from this EKS cluster. For more information about removing the deployed security agent, see Impact of disabling and cleaning up resources

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

  3. If you were managing the GuardDuty security agent for this EKS cluster manually, you must remove it. For more information, see Impact of disabling and cleaning up resources.

Monitor selective EKS clusters using inclusion tags

Regardless of how you chose to enable Runtime Monitoring, the following steps will help you monitor selective EKS clusters that belong to the selected accounts:

  1. Make sure that you do not enable Runtime Monitoring-Automated agent configuration for the selected accounts that have the EKS clusters that you want to monitor.

  2. Add a tag to your EKS cluster with the key as GuardDutyManaged and its value as true.

    For more information about tagging your Amazon EKS cluster, see Working with tags using the console in the Amazon EKS User Guide.

    After adding the tag, GuardDuty will manage the deployment of and updates to the security agent for the selective EKS clusters that you want to monitor.

  3. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the Amazon Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the Amazon Web Services account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin", "arn:aws-cn:iam::123456789012:role/org-admins/iam-admin"]

Manage the GuardDuty security agent manually

  1. Keep the Runtime Monitoring configuration the same as configured in the previous step. Make sure that you don't enable Runtime Monitoring- Automated agent configuration for any of the selected accounts.

  2. Choose Confirm.

  3. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.