Prerequisites for Amazon Fargate (Amazon ECS only) support
Validating architectural requirements
The platform that you use may impact how GuardDuty security agent supports GuardDuty in receiving the runtime events from your Amazon ECS clusters. You must validate that you're using one of the verified platforms.
- Initial considerations:
-
The Amazon Fargate (Fargate) platform for your Amazon ECS clusters must be Linux. The corresponding platform version must be at least
1.4.0, orLATEST. For more information about the platform versions, see Linux platform versions in the Amazon Elastic Container Service Developer Guide.The Windows platform versions are not yet supported.
Verified platforms
The OS distribution and CPU architecture impacts the support provided by the GuardDuty security agent. The following table shows the verified configuration for deploying the GuardDuty security agent and configuring Runtime Monitoring.
| OS distribution | Kernel support | CPU architecture | |
|---|---|---|---|
| x64 (AMD64) | Graviton (ARM64) | ||
| Linux | eBPF, Tracepoints, Kprobe | Supported | Supported |
Provide ECR permissions and subnet details
Before enabling Runtime Monitoring, you must provide the following details:
- Provide a task execution role with permissions
-
The task execution role requires you to have certain Amazon Elastic Container Registry (Amazon ECR) permissions. You can either use the AmazonECSTaskExecutionRolePolicy managed policy or add the following permissions to your
TaskExecutionRolepolicy:... "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", ...To further restrict the Amazon ECR permissions, you can add the Amazon ECR repository URI that hosts the GuardDuty security agent for Amazon Fargate (Amazon ECS only). For more information, see Repository for GuardDuty agent on Amazon Fargate (Amazon ECS only).
- Provide subnet details in task definition
-
You can either provide the public subnets as an input in your task definition or create an Amazon ECR VPC endpoint.
-
Using task definition option – Running the CreateService and UpdateService APIs in the Amazon Elastic Container Service API Reference requires you to pass the subnet information. For more information, see Amazon ECS task definitions in the Amazon Elastic Container Service Developer Guide.
-
Using the Amazon ECR VPC endpoint option – Provide network path to Amazon ECR - Ensure that the Amazon ECR repository URI that hosts the GuardDuty security agent is network accessible. If your Fargate tasks will run in a private subnet, then Fargate will need the network path to download the GuardDuty container.
For information about enabling Fargate to download the GuardDuty container, see Using Amazon ECR with Amazon ECS in the Amazon Elastic Container Service Developer Guide.
-
CPU and memory limits
In the Fargate task definition, you must specify the CPU and memory value at the task level. The following table shows the valid combinations of task-level CPU and memory values, and the corresponding GuardDuty security agent maximum memory limit for the GuardDuty container.
| CPU value | Memory value | GuardDuty agent maximum memory limit |
|---|---|---|
256 (.25 vCPU) |
512 MiB, 1 GB, 2GB |
128 MB |
512 (.5 vCPU) |
1 GB, 2 GB, 3 GB, 4 GB |
|
1024 (1 vCPU) |
2 GB, 3 GB, 4 GB |
|
5 GB, 6 GB, 7 GB, 8 GB |
||
2048 (2 vCPU) |
Between 4 GB and 16 GB in 1 GB increments |
|
4096 (4 vCPU) |
Between 8 GB and 20 GB in 1 GB increments |
|
8192 (8 vCPU) |
Between 16 GB and 28 GB in 4 GB increments |
256 MB |
Between 32 GB and 60 GB in 4 GB increments |
512 MB |
|
16384 (16 vCPU) |
Between 32 GB and 120 GB in 8 GB increments |
1 GB |
After you enable Runtime Monitoring and assess that the coverage status of your cluster is Healthy, you can set up and view the Container insight metrics. For more information, Setting up monitoring on Amazon ECS cluster.
The next step is to configure Runtime Monitoring and also configure the security agent.