# Disabling, uninstalling, and cleaning up resources in Runtime Monitoring Disabling, uninstalling, and resource cleanup This section applies to your Amazon Web Services account if you choose to disable Runtime Monitoring, or only GuardDuty automated agent configuration for a resource type. **Disabling GuardDuty automated agent configuration** GuardDuty doesn't remove the security agent that is deployed on your resource. However, GuardDuty will stop managing the updates to the security agent. GuardDuty continues to receive the runtime events from your resource type. To prevent an impact on your usage statistics, make sure to remove the GuardDuty security agent from your resource. Whether or not an Amazon Web Services account uses a shared VPC endpoint, GuardDuty doesn't delete the VPC endpoint. If required, you will need to delete the VPC endpoint manually. **Disabling Runtime Monitoring **and** EKS Runtime Monitoring** This section applies to you in the following scenarios: + You never enabled EKS Runtime Monitoring separately and now you disabled Runtime Monitoring. + You are disabling both Runtime Monitoring and EKS Runtime Monitoring. If you're unsure about the configuration status of EKS Runtime Monitoring, see [Checking EKS Runtime Monitoring configuration status](checking-eks-runtime-monitoring-enable-status.md). **Disabling Runtime Monitoring without disabling EKS Runtime Monitoring** In this scenario, at some point in time, you enabled EKS Runtime Monitoring, and later, also enabled Runtime Monitoring without disabling EKS Runtime Monitoring. Now, when you disable Runtime Monitoring, you will also need to disable EKS Runtime Monitoring; otherwise, you will continue incurring usage cost for EKS Runtime Monitoring. If the previously listed scenarios apply to you, then GuardDuty will take the following actions in your account: + GuardDuty deletes the VPC endpoint that has the `GuardDutyManaged`:`true` tag. This is the VPC that GuardDuty had created to manage the automated security agent. + GuardDuty deletes the security group that was tagged as `GuardDutyManaged`:`true`. + For a shared VPC that has been used by at least one participant account, GuardDuty neither deletes the VPC endpoint nor the security group associated with the shared VPC resource. + For an Amazon EKS resource, GuardDuty deletes the security agent. This is independent of whether it managed manually or through GuardDuty. For an Amazon ECS resource, because an ECS task is immutable, GuardDuty can't uninstall the security agent from that resource. This is independent of how you manage the security agent – manually or automatically through GuardDuty. After you disable Runtime Monitoring, GuardDuty will not attach a sidecar container when a new ECS task starts running. For information about working with Fargate-ECS tasks, see [How Runtime Monitoring works with Fargate (Amazon ECS only)](how-runtime-monitoring-works-ecs-fargate.md). For an Amazon EC2 resource, GuardDuty uninstalls the security agent from all the Systems Manager (SSM) managed Amazon EC2 instances only when it meets the following conditions: + Your resource is **not** tagged with `GuardDutyManaged`:`false` exclusion tag. + GuardDuty must have permissions to access the tags in instance metadata. For this EC2 resource, the **Access to tags in instance metadata** is set to **Allow**. **When you stop managing the security agent manually** Regardless of which approach you use to deploy and manage the GuardDuty security agent, to stop monitoring the runtime events in your resource, you must remove the GuardDuty security agent. When you want to stop monitoring the runtime events from a resource type in an account, you may also delete the Amazon VPC endpoint. # Uninstalling security agent manually for Amazon EC2 resources This section provides methods to uninstall the GuardDuty security agent from your Amazon EC2 resources. When you manage the security agent manually, you're responsible to remove the agent from the resources. GuardDuty will not take any action on the resources that you manage. If you created an Amazon VPC endpoint manually, then after you uninstall the security agent on all the monitored resource types in your account, you can choose to delete the VPC endpoint. This is a separate step. For more information, see [To delete a VPC endpoint](clean-up-guardduty-agent-resources-process.md#runtime-monitoring-delete-vpc-endpoint). Based on how you installed the security agent in your resource, choose one of the following methods to uninstall it. **Topics** + [ ## Method 1 - By using the Run command ](#remove-gdu-ec2-agent-run-command) + [ ## Method 2 - By using Linux Package Managers ](#remove-gdu-ec2-agent-rpm-script) ## Method 1 - By using the Run command When you installed the security agent with [Method 1 - Using Amazon Systems Manager](installing-gdu-security-agent-ec2-manually.md#install-gdu-by-using-sys-runtime-monitoring), perform the following steps to uninstall the agent: **To uninstall the GuardDuty security agent** 1. You can uninstall the GuardDuty security agent by following the steps as specified in [Amazon Systems Manager Run Command](https://docs.amazonaws.cn/systems-manager/latest/userguide/run-command.html) in the *Amazon Systems Manager User Guide*. Use the Uninstall action in the parameters to uninstall the GuardDuty security agent. In the **Targets** section, make sure that the impact is only on those Amazon EC2 instances from which you want to uninstall the security agent. Use the following GuardDuty document and distributor: + Document name: `AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin` + Distributor: `AmazonGuardDuty-RuntimeMonitoringSsmPlugin` 1. After providing all the details, when you choose **Run**, the security agent that it deployed on the targeted Amazon EC2 instances is removed. To remove the Amazon VPC endpoint configuration, you must disable both Runtime Monitoring and Amazon EKS Runtime Monitoring. 1. If you also want to delete the VPC endpoint that is associated with this security agent, then see [To delete a VPC endpoint](clean-up-guardduty-agent-resources-process.md#runtime-monitoring-delete-vpc-endpoint). ## Method 2 - By using Linux Package Managers When you installed the security agent with [Method 2 - Using Linux Package Managers](installing-gdu-security-agent-ec2-manually.md#install-gdu-by-rpm-scripts-runtime-monitoring), perform the following steps to uninstall the agent: **To uninstall the GuardDuty security agent** 1. Connect to the your instance. For steps on how to do this, see [Connect to your Linux instance using an SSH client](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/connect-linux-inst-ssh.html) in the *Amazon EC2 User Guide*. 1. **Command to uninstall** The following command will uninstall the GuardDuty security agent from the Amazon EC2 instance to which you connect: + For RPM: ``` sudo rpm -e amazon-guardduty-agent ``` + For Debian: ``` sudo dpkg --purge amazon-guardduty-agent ``` After you run the command, you can also check the logs associated with the command. 1. If you also want to delete the VPC endpoint that is associated with this security agent, then see [To delete a VPC endpoint](clean-up-guardduty-agent-resources-process.md#runtime-monitoring-delete-vpc-endpoint). # Cleaning up security agent resources This section explains how you can clean up the Amazon resources associated with the security agent. As listed in [Disabling, uninstalling, and resource cleanup](runtime-monitoring-agent-resource-clean-up.md), GuardDuty will not delete or remove all the security agent resources. The following section provides instructions on how you can delete the security agent resources. **To delete Amazon VPC endpoint** When you manage the security agent manually, you may have created an Amazon VPC endpoint manually. After uninstalling the security agent for all the monitored resources in your account, you can choose to delete this VPC endpoint. The following list provides scenarios when using a shared VPC compared to not using a shared VPC. + Without a shared VPC – When you no longer want to monitor a resource in an account, consider deleting the Amazon VPC endpoint. + With a shared VPC – When a shared VPC owner account deletes the shared VPC resource that was still being used, the Runtime Monitoring (and when applicable, EKS Runtime Monitoring) coverage status for the resources in your shared VPC owner account and the participating account might become unhealthy. For information about coverage status, see [Reviewing runtime coverage statistics and troubleshooting issues](runtime-monitoring-assessing-coverage.md). For deleting the VPC endpoint, see [Delete an interface endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/delete-interface-endpoint.html) in the *Amazon PrivateLink Guide*. **To delete the security group** + Without a shared VPC – When you no longer want to monitor a resource type in an account, consider deleting the security group associated with the Amazon VPC. + With a shared VPC – When the shared VPC owner account deletes the security group, any participant account that is currently using the security group associated with the shared VPC, the Runtime Monitoring coverage status for the resources in your shared VPC owner account and the participating account might become unhealthy. For more information, see [Reviewing runtime coverage statistics and troubleshooting issues](runtime-monitoring-assessing-coverage.md). For information about steps, see [Delete an Amazon EC2 security group](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/deleting-security-group.html) in the *Amazon EC2 User Guide*. **To remove GuardDuty security agent from an EKS cluster** To remove the security agent from your EKS cluster that you no longer want to monitor, see [Removing an Amazon EKS add-on from a cluster](https://docs.amazonaws.cn/eks/latest/userguide/removing-an-add-on.html) in the *Amazon EKS User Guide*. Removing the EKS add-on agent doesn't remove the `amazon-guardduty` namespace from the EKS cluster. To delete the `amazon-guardduty` namespace, see [Deleting a namespace](https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#deleting-a-namespace). **To delete the `amazon-guardduty` namespace (EKS cluster)** Disabling Automated agent configuration doesn't automatically remove the `amazon-guardduty` namespace from your EKS cluster. To delete the `amazon-guardduty` namespace, see [Deleting a namespace](https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#deleting-a-namespace).