# Migrating from EKS Runtime Monitoring to Runtime Monitoring


With the launch of GuardDuty Runtime Monitoring, the threat detection coverage has been expanded to Amazon ECS containers and Amazon EC2 instances. EKS Runtime Monitoring experience has now been consolidated into Runtime Monitoring. You can enable Runtime Monitoring and manage individual GuardDuty security agents for each resource type (Amazon EC2 instance, Amazon ECS cluster, and Amazon EKS cluster) for which you want to monitor the runtime behavior.

GuardDuty has consolidated the console experience for EKS Runtime Monitoring into Runtime Monitoring. GuardDuty recommends [Checking EKS Runtime Monitoring configuration status](checking-eks-runtime-monitoring-enable-status.md) and [Migrating from EKS Runtime Monitoring to Runtime Monitoring](#migrating-from-eksrunmon-to-runtime-monitoring).

As a part of migrating to Runtime Monitoring, ensure to [Disable EKS Runtime Monitoring](disabling-eks-runtime-monitoring.md). This is important because if you later choose to disable Runtime Monitoring and you do not disable EKS Runtime Monitoring, you will continue incurring usage cost for EKS Runtime Monitoring.

**To migrate from EKS Runtime Monitoring to Runtime Monitoring**

1. The GuardDuty console supports EKS Runtime Monitoring as a part of Runtime Monitoring. 

   You can start using Runtime Monitoring by [Checking EKS Runtime Monitoring configuration status](checking-eks-runtime-monitoring-enable-status.md) of your organization and accounts.

   Make sure to not disable EKS Runtime Monitoring before enabling Runtime Monitoring. If you disable EKS Runtime Monitoring, the Amazon EKS add-on management will also get disabled. Continue with the following steps in the listed order.

1. Make sure you meet all the [Prerequisites to enabling Runtime Monitoring](runtime-monitoring-prerequisites.md).

1. Enable Runtime Monitoring by replicating the same organization configuration settings for Runtime Monitoring as you have for EKS Runtime Monitoring. For more information, see [Enabling Runtime Monitoring](runtime-monitoring-configuration.md). 
   + If you have a standalone account, you need to enable Runtime Monitoring.

     If your GuardDuty security agent is deployed already, the corresponding settings are replicated automatically and you don't need to configure the settings again.
   + If you have an organization with auto-enablement settings, make sure to replicate the same auto-enablement settings for Runtime Monitoring.
   + If you have an organization with settings configured for existing active member accounts individually, make sure to enable Runtime Monitoring and configure the GuardDuty security agent for these members individually.

1. After you have ensured that the Runtime Monitoring and GuardDuty security agent settings are correct, [disable EKS Runtime Monitoring](https://docs.amazonaws.cn/guardduty/latest/ug/disabling-eks-runtime-monitoring.html) by using either the API or the Amazon CLI command. 

1. (Optional) if you want to clean any resource associated with the GuardDuty security agent, see [Disabling, uninstalling, and cleaning up resources in Runtime Monitoring](runtime-monitoring-agent-resource-clean-up.md).

If you want to continue using EKS Runtime Monitoring without enabling Runtime Monitoring, see [EKS Runtime Monitoring in GuardDuty](eks-runtime-monitoring-guardduty.md). Based on your use case, choose the steps to configure EKS Runtime Monitoring for a standalone account or for multiple member accounts.

# Checking EKS Runtime Monitoring configuration status


Use the following APIs or Amazon CLI commands to check the existing configuration status of EKS Runtime Monitoring. 

**To check existing EKS Runtime Monitoring configuration status in your account**
+ Run [GetDetector](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_GetDetector.html) to check the configuration status of your own account.
+ Alternatively, you can run the following command by using Amazon CLI:

  ```
  aws guardduty get-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --region us-east-1
  ```

  Make sure to replace the detector ID of your Amazon Web Services account and the current Region. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API.

**To check existing EKS Runtime Monitoring configuration status for your organization (as a delegated GuardDuty administrator account only)**
+ Run [DescribeOrganizationConfiguration](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html) to check the configuration status of your organization.

  Alternatively, you can run the following command using Amazon CLI:

  ```
  aws guardduty describe-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --region us-east-1
  ```

  Make sure to replace the detector ID with the detector ID of your delegated GuardDuty administrator account and the Region with your current Region. To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API.

# Disabling EKS Runtime Monitoring after migrating to Runtime Monitoring
Disable EKS Runtime Monitoring

After you have ensured that the existing settings for your account or organization have been replicated to Runtime Monitoring, you can disable EKS Runtime Monitoring.

**To disable EKS Runtime Monitoring**
+ **To disable EKS Runtime Monitoring in your own account**

  Run the [UpdateDetector](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateDetector.html) API with your own regional *detector-id*.

  Alternatively, you can use the following Amazon CLI command. Replace *12abc34d567e8fa901bc2d34e56789f0* with your own regional *detector-id*.

  ```
  aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
  ```
+ **To disable EKS Runtime Monitoring for member accounts in your organization**

  Run the [UpdateMemberDetectors](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API with the regional *detector-id* of the delegated GuardDuty administrator account of the organization. 

  Alternatively, you can use the following Amazon CLI command. Replace *12abc34d567e8fa901bc2d34e56789f0* with the regional *detector-id* of the delegated GuardDuty administrator account of the organization and *111122223333* with the Amazon Web Services account ID of the member account for which you want to disable this feature.

  ```
  aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
  ```
+ **To update EKS Runtime Monitoring auto-enable settings for your organization**

  Perform the following step only if you have configured the EKS Runtime Monitoring auto-enablement settings to either new (`NEW`) or all (`ALL`) member accounts in the organization. If you had already configured it as `NONE`, then you can skip this step.
**Note**  
Setting the EKS Runtime Monitoring auto-enable configuration to `NONE` means that EKS Runtime Monitoring will not be enabled automatically for any existing member account or when a new member account joins your organization.

  Run the [UpdateOrganizationConfiguration](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) API with the regional *detector-id* of the delegated GuardDuty administrator account of the organization. 

  Alternatively, you can use the following Amazon CLI command. Replace *12abc34d567e8fa901bc2d34e56789f0* with the regional *detector-id* of the delegated GuardDuty administrator account of the organization. Replace the *EXISTING\$1VALUE* with your current configuration for auto-enabling GuardDuty.

  ```
  aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable-organization-members EXISTING_VALUE --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NONE"}]'
  ```