Managing security agent manually for Amazon EKS cluster - Amazon GuardDuty
Prerequisites to deploying GuardDuty security agentConfigure EKS add-on parametersDeploying GuardDuty security agentVerifying configuration schema updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing security agent manually for Amazon EKS cluster

This section describes how you can manage your Amazon EKS add-on agent (GuardDuty agent) after you enable Runtime Monitoring. To use Runtime Monitoring, you must enable Runtime Monitoring and configure the Amazon EKS add-on, aws-guardduty-agent. Performing only one of these two steps will not help GuardDuty detect potential threats or generate findings.

Prerequisites to deploying GuardDuty security agent

This section describes the prerequisites to deploying GuardDuty security agent for your EKS clusters manually. Before proceeding, make sure you have already configured Runtime Monitoring for your accounts. The GuardDuty security agent (EKS add-on) will not work if you don't configure Runtime Monitoring. For more information, see Enabling GuardDuty Runtime Monitoring. After you complete the following steps, see Deploying GuardDuty security agent.

Choose your preferred access method to create an Amazon VPC endpoint.

Console
Create VPC endpoint

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, under Virtual private cloud, choose Endpoints.

  3. Choose Create Endpoint.

  4. On the Create endpoint page, for Service category, choose Other endpoint services.

  5. For Service name, enter com.amazonaws.us-east-1.guardduty-data.

    Make sure to replace us-east-1 with the correct Region. This must be the same Region as the EKS cluster that belongs to your Amazon Web Services account ID.

  6. Choose Verify service.

  7. After the service name is successfully verified, choose the VPC where your cluster resides. Add the following policy to restrict VPC endpoint usage to specified account only. With the organization Condition provided below this policy, you can update the following policy to restrict access to your endpoint. To provide VPC endpoint support to specific account IDs in your organization, see Organization condition to restrict access to your endpoint.

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "*",
			"Resource": "*",
			"Effect": "Allow",
			"Principal": "*"
		},
		{
			"Condition": {
				"StringNotEquals": {
					"aws:PrincipalAccount": "111122223333" 
				}
			},
			"Action": "*",
			"Resource": "*",
			"Effect": "Deny",
			"Principal": "*"
		}
	]
}

    The aws:PrincipalAccount account ID must match the account containing the VPC and VPC endpoint. The following list shows how to share the VPC endpoint with other Amazon Web Services account IDs:

    Organization condition to restrict access to your endpoint

    • To specify multiple accounts to access the VPC endpoint, replace "aws:PrincipalAccount": "111122223333" with the following:

      "aws:PrincipalAccount": [
          "666666666666",
          "555555555555"
    ]

    • To allow all the members from an organization to access the VPC endpoint, replace "aws:PrincipalAccount": "111122223333" with the following:

      "aws:PrincipalOrgID": "o-abcdef0123"

    • To restrict accessing a resource to an organization ID, add your ResourceOrgID to the policy.

      For more information, see ResourceOrgID.

      "aws:ResourceOrgID": "o-abcdef0123"

  8. Under Additional settings, choose Enable DNS name.

  9. Under Subnets, choose the subnets in which your cluster resides.

  10. Under Security groups, choose a security group that has the in-bound port 443 enabled from your VPC (or your EKS cluster). If you don't already have a security group that has an in-bound port 443 enabled, Create a security group.

    If there is an issue while restricting the in-bound permissions to your VPC (or cluster), provide the support to in-bound 443 port from any IP address (0.0.0.0/0).

API/CLI

  • Invoke CreateVpcEndpoint.

  • Use the following values for the parameters:

    • For Service name, enter com.amazonaws.us-east-1.guardduty-data.

      Make sure to replace us-east-1 with the correct Region. This must be the same Region as the EKS cluster that belongs to your Amazon Web Services account ID.

    • For DNSOptions, enable private DNS option by setting it to true.

Configure GuardDuty security agent (add-on) parameters for Amazon EKS

You can configure specific parameters of your GuardDuty security agent for Amazon EKS. This support is available for GuardDuty security agent version 1.5.0 and above. For information about latest add-on versions, see GuardDuty security agent for Amazon EKS clusters.

Why should I update the security agent configuration schema

Configuration schema for the GuardDuty security agent is the same across all containers within your Amazon EKS clusters. When the default values do not align with the associated workloads and instance size, consider configuring the CPU settings, memory settings, PriorityClass, and dnsPolicy settings. Regardless of how you manage the GuardDuty agent for your Amazon EKS clusters, you can configure or update the existing configuration of these parameters.

Automated agent configuration behavior with configured parameters

When GuardDuty manages the security agent (EKS add-on) on your behalf, it updates the add-on, as needed. GuardDuty will set the value of the configurable parameters to a default value. However, you can still update the parameters to a desired value. If this leads to a conflict, the default option to resolveConflicts is None.

Configurable parameters and values

For information about the steps to configure the add-on parameters, see:

The following tables provide the ranges and values that you can use to deploy the Amazon EKS add-on manually or update the existing add-on settings.

CPU settings

Parameters

Default value

Configurable range

Requests

200m

Between 200m and 10000m, both inclusive

Limits

1000m
Memory settings

Parameters

Default value

Configurable range

Requests

256Mi

Between 256Mi and 20000Mi, both inclusive

Limits

1024Mi
PriorityClass settings

When GuardDuty creates an Amazon EKS add-on for you, the assigned PriorityClass is aws-guardduty-agent.priorityclass. This means that no action will be taken based on the priority of the agent pod. You can configure this add-on parameter by choosing one of the following PriorityClass options:

Configurable PriorityClass

preemptionPolicy value

preemptionPolicy description

Pod value

aws-guardduty-agent.priorityclass

Never

No action

1000000

aws-guardduty-agent.priorityclass-high

PreemptLowerPriority

Assigning this value will preempt a pod running with the priority value lower than the agent pod value.

100000000

system-cluster-critical1

PreemptLowerPriority

2000000000

system-node-critical1

PreemptLowerPriority

2000001000

1 Kubernetes provides these two PriorityClass options – system-cluster-critical and system-node-critical. For more information, see PriorityClass in the Kubernetes documentation.

dnsPolicy settings

Choose one of the following DNS policy options that Kubernetes supports. When no configuration is specified, ClusterFirst is used as the default value.

  • ClusterFirst

  • ClusterFirstWithHostNet

  • Default

For information about these policies, see Pod's DNS Policy in the Kubernetes documentation.

Deploying GuardDuty security agent

This section describes how you can deploy the GuardDuty security agent for the first time for specific EKS clusters. Before you proceed with this section, make sure you have already set up the prerequisites and enabled Runtime Monitoring for your accounts. The GuardDuty security agent (EKS add-on) will not work if you do not enable Runtime Monitoring.

Choose your preferred access method to deploy the GuardDuty security agent for the first time.

Console

  1. Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters.

  2. Choose your Cluster name.

  3. Choose the Add-ons tab.

  4. Choose Get more add-ons.

  5. On the Select add-ons page, choose Amazon GuardDuty Runtime Monitoring.

  6. On the Configure selected add-on settings page, use the default settings. If the Status of your EKS add-on is Requires activation, choose Activate GuardDuty. This action will open the GuardDuty console to configure Runtime Monitoring for your accounts.

  7. After you've configured Runtime Monitoring for your accounts, switch back to the Amazon EKS console. The Status of your EKS add-on should have changed to Ready to install.

  8. (Optional) Providing EKS add-on configuration schema

    For the add-on Version, if you choose v1.5.0 and above, Runtime Monitoring supports configuring specific parameters of the GuardDuty agent. For information about parameter ranges, see Configure EKS add-on parameters.

    1. Expand Optional configuration settings to view the configurable parameters and their expected value and format.

    2. Set the parameters. The values must be in the range provided in Configure EKS add-on parameters.

    3. Choose Save changes to create the add-on based on the advanced configuration.

    4. For Conflict resolution method, the option that you choose will be used to resolve a conflict when you update the value of a parameter to a non-default value. For more information about the listed options, see resolveConflicts in the Amazon EKS API Reference.

  9. Choose Next.

  10. On the Review and create page, verify all the details, and choose Create.

  11. Navigate back to the cluster details and choose the Resources tab.

  12. You can view the new pods with the prefix aws-guardduty-agent.

API/CLI

You can configure the Amazon EKS add-on agent (aws-guardduty-agent) using either of the following options:

  • Run CreateAddon for your account.

  • Note

    For the add-on version, if you choose v1.5.0 and above, Runtime Monitoring supports configuring specific parameters of the GuardDuty agent. For more information, see Configure EKS add-on parameters.

    Use the following values for the request parameters:

    • For addonName, enter aws-guardduty-agent.

      You can use the following Amazon CLI example when using configurable values supported for addon versions v1.5.0 and above. Make sure to replace the placeholder values highlighted in red and the associated Example.json with the configured values.

      aws eks create-addon --region us-east-1 --cluster-name myClusterName --addon-name aws-guardduty-agent --addon-version v1.5.0-eksbuild.1 --configuration-values 'file://example.json'
      Example.json
      {
	"priorityClassName": "aws-guardduty-agent.priorityclass-high",
	"dnsPolicy": "Default",
	"resources": {
		"requests": {
			"cpu": "237m",
			"memory": "512Mi"
		},
		"limits": {
			"cpu": "2000m",
			"memory": "2048Mi"
		}
	}	
}

    • For information about supported addonVersion, see Kubernetes versions supported by GuardDuty security agent.

Verifying configuration schema updates

After you have configured the parameters, perform the following steps to verify that the configuration schema has been updated:

  1. Open the Amazon EKS console at https://console.amazonaws.cn/eks/home#/clusters.

  2. In the navigation pane, choose Clusters.

  3. On the Clusters page, select the Cluster name for which you want to verify the updates.

  4. Choose the Resources tab.

  5. From the Resource types pane, under Workloads, choose DaemonSets.

  6. Select aws-guardduty-agent.

  7. On the aws-guardduty-agent page, choose Raw view to view the unformatted JSON response. Verify that the configurable parameters display the value that you provided.

After you verify, switch to the GuardDuty console. Select the corresponding Amazon Web Services Region and view the coverage status for your Amazon EKS clusters. For more information, see Coverage for Amazon EKS clusters.