# Reviewing runtime coverage statistics and troubleshooting issues Runtime coverage issues and troubleshooting After you enable Runtime Monitoring and the GuardDuty security agent gets deployed to your resource, GuardDuty provides coverage statistics for the corresponding resource type and individual coverage status for the resources that belong to your account. Coverage status is determined by making sure that you have enabled Runtime Monitoring, your Amazon VPC endpoint has been created, and the GuardDuty security agent for the corresponding resource has been deployed. A **Healthy** coverage status indicates that when there is a runtime event related to your resource, GuardDuty is able to receive the said runtime event through the Amazon VPC endpoint, and monitor the behavior. If there was an issue at the time of configuring Runtime Monitoring, creating an Amazon VPC endpoint, or deploying the GuardDuty security agent, the coverage status appears as **Unhealthy**. When the coverage status is unhealthy, GuardDuty will not be able to receive or monitor the runtime behavior of the corresponding resource, or generate any Runtime Monitoring findings. The following topics will help you review coverage statistics, configure EventBridge notifications, and troubleshoot the coverage issues for a specific resource type. **Topics** + [ # Runtime coverage and troubleshooting for Amazon EC2 instance ](gdu-assess-coverage-ec2.md) + [ # Runtime coverage and troubleshooting for Amazon ECS clusters ](gdu-assess-coverage-ecs.md) + [ # Runtime coverage and troubleshooting for Amazon EKS clusters ](eks-runtime-monitoring-coverage.md) # Runtime coverage and troubleshooting for Amazon EC2 instance Coverage and troubleshooting for Amazon EC2 resources For an Amazon EC2 resource, the runtime coverage is evaluated at the instance level. Your Amazon EC2 instances can run multiple types of applications and workloads amongst others in your Amazon environment. This feature also supports Amazon ECS managed Amazon EC2 instances and if you have Amazon ECS clusters running on an Amazon EC2 instance, the coverage issues at the instance level will show up under Amazon EC2 runtime coverage. **Topics** + [ ## Reviewing coverage statistics ](#review-coverage-statistics-ec2-runtime-monitoring) + [ ## Coverage status change with EventBridge notifications ](#ec2-runtime-monitoring-coverage-status-change) + [ ## Troubleshooting Amazon EC2 runtime coverage issues ](#ec2-runtime-monitoring-coverage-issues-troubleshoot) ## Reviewing coverage statistics The coverage statistics for the Amazon EC2 instances associated with your own accounts or your member accounts is the percentage of the healthy EC2 instances over all EC2 instances in the selected Amazon Web Services Region. The following equation represents this as: *(Healthy instances/All instances)\$1100* If you have also deployed the GuardDuty security agent for your Amazon ECS clusters, then any instance level coverage issue associated with Amazon ECS clusters running on an Amazon EC2 instance will appear as an Amazon EC2 instance runtime coverage issue. Choose one of the access methods to review the coverage statistics for your accounts. ------ #### [ Console ] + Sign in to the Amazon Web Services Management Console and open the GuardDuty console at [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/). + In the navigation pane, choose **Runtime Monitoring**. + Choose the **Runtime coverage** tab. + Under the **EC2 instance runtime coverage** tab, you can view the coverage statistics aggregated by the coverage status of each Amazon EC2 instance that is available in the **Instances list** table. + You can filter the **Instance list** table by the following columns: + **Account ID** + **Agent management type** + **Agent version** + **Coverage status** + **Instance ID** + **Cluster ARN** + If any of your EC2 instances have the **Coverage status** as **Unhealthy**, the **Issue** column includes additional information about the reason for the **Unhealthy** status. ------ #### [ API/CLI ] + Run the [ListCoverage](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListCoverage.html) API with your own valid detector ID, current Region, and service endpoint. You can filter and sort the instance list using this API. + You can change the example `filter-criteria` with one of the following options for `CriterionKey`: + `ACCOUNT_ID` + `RESOURCE_TYPE` + `COVERAGE_STATUS` + `AGENT_VERSION` + `MANAGEMENT_TYPE` + `INSTANCE_ID` + `CLUSTER_ARN` + When the `filter-criteria` includes `RESOURCE_TYPE` as **EC2**, Runtime Monitoring doesn't support the use of **ISSUE** as the `AttributeName`. If you use it, the API response will result in `InvalidInputException`. You can change the example `AttributeName` in `sort-criteria` with the following options: + `ACCOUNT_ID` + `COVERAGE_STATUS` + `INSTANCE_ID` + `UPDATED_AT` + You can change the *max-results* (up to 50). + To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. ``` aws guardduty --region us-east-1 list-coverage --detector-id 12abc34d567e8fa901bc2d34e56789f0 --sort-criteria '{"AttributeName": "EKS_CLUSTER_NAME", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"ACCOUNT_ID", "FilterCondition":{"EqualsValue":"111122223333"}}] }' --max-results 5 ``` + Run the [GetCoverageStatistics](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_GetCoverageStatistics.html) API to retrieve coverage aggregated statistics based on the `statisticsType`. + You can change the example `statisticsType` to one of the following options: + `COUNT_BY_COVERAGE_STATUS` – Represents coverage statistics for EKS clusters aggregated by coverage status. + `COUNT_BY_RESOURCE_TYPE` – Coverage statistics aggregated based on the type of Amazon resource in the list. + You can change the example `filter-criteria` in the command. You can use the following options for `CriterionKey`: + `ACCOUNT_ID` + `RESOURCE_TYPE` + `COVERAGE_STATUS` + `AGENT_VERSION` + `MANAGEMENT_TYPE` + `INSTANCE_ID` + `CLUSTER_ARN` + To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. ``` aws guardduty --region us-east-1 get-coverage-statistics --detector-id 12abc34d567e8fa901bc2d34e56789f0 --statistics-type COUNT_BY_COVERAGE_STATUS --filter-criteria '{"FilterCriterion":[{"CriterionKey":"ACCOUNT_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }' ``` ------ If the coverage status of your EC2 instance is **Unhealthy**, see [Troubleshooting Amazon EC2 runtime coverage issues](#ec2-runtime-monitoring-coverage-issues-troubleshoot). ## Coverage status change with EventBridge notifications The coverage status of your Amazon EC2 instance might appear as **Unhealthy**. To know when the coverage status changes, we recommend you to monitor the coverage status periodically, and troubleshoot if the status becomes **Unhealthy**. Alternatively, you can create an Amazon EventBridge rule to receive a notification when the coverage status changes from either **Unhealthy** to **Healthy** or otherwise. By default, GuardDuty publishes this in the [EventBridge bus](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-event-bus.html) for your account. ### Sample notification schema In an EventBridge rule, you can use the pre-defined sample events and event patterns to receive coverage status notification. For more information about creating an EventBridge rule, see [Create rule](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-get-started.html#eb-gs-create-rule) in the *Amazon EventBridge User Guide*. Additionally, you can create a custom event pattern by using the following example notification schema. Make sure to replace the values for your account. To get notified when the coverage status of your Amazon EC2 instance changes from `Healthy` to `Unhealthy`, the `detail-type` should be *GuardDuty Runtime Protection Unhealthy*. To get notified when the coverage status changes from `Unhealthy` to `Healthy`, replace the value of `detail-type` with *GuardDuty Runtime Protection Healthy*. ``` { "version": "0", "id": "event ID", "detail-type": "GuardDuty Runtime Protection Unhealthy", "source": "aws.guardduty", "account": "Amazon Web Services account ID", "time": "event timestamp (string)", "region": "Amazon Web Services Region", "resources": [ ], "detail": { "schemaVersion": "1.0", "resourceAccountId": "string", "currentStatus": "string", "previousStatus": "string", "resourceDetails": { "resourceType": "EC2", "ec2InstanceDetails": { "instanceId":"", "instanceType":"", "clusterArn": "", "agentDetails": { "version":"" }, "managementType":"" } }, "issue": "string", "lastUpdatedAt": "timestamp" } } ``` ## Troubleshooting Amazon EC2 runtime coverage issues If the coverage status of your Amazon EC2 instance is **Unhealthy**, you can view the reason under the **Issue** column. If your EC2 instance is associated with an EKS cluster and the security agent for EKS was installed either manually or through automated agent configuration, then to troubleshoot the coverage issue, see [Runtime coverage and troubleshooting for Amazon EKS clusters](eks-runtime-monitoring-coverage.md). The following table lists the issue types and the corresponding troubleshooting steps. [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/gdu-assess-coverage-ec2.html) # Runtime coverage and troubleshooting for Amazon ECS clusters Coverage and troubleshooting for Amazon ECS clusters The runtime coverage for Amazon ECS clusters includes the tasks running on Amazon Fargate and Amazon ECS container instances[1](#ecs-container-instance). For an Amazon ECS cluster that runs on Fargate, the runtime coverage is assessed at the task level. The ECS clusters runtime coverage includes those Fargate tasks that have started running after you have enabled Runtime Monitoring and automated agent configuration for Fargate (ECS only). By default, a Fargate task is immutable. GuardDuty will not be able to install the security agent to monitor containers on already running tasks. To include such a Fargate task, you must stop and start the task again. Make sure to check if the associated service is supported. For information about Amazon ECS container, see [Capacity creation](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/create-capacity.html). **Topics** + [ ## Reviewing coverage statistics ](#ecs-review-coverage-statistics-ecs-runtime-monitoring) + [ ## Coverage status change with EventBridge notifications ](#ecs-runtime-monitoring-coverage-status-change) + [ ## Troubleshooting Amazon ECS-Fargate runtime coverage issues ](#ecs-runtime-monitoring-coverage-issues-troubleshoot) ## Reviewing coverage statistics The coverage statistics for the Amazon ECS resources associated with your own account or your member accounts is the percentage of the healthy Amazon ECS clusters over all the Amazon ECS clusters in the selected Amazon Web Services Region. This includes the coverage for Amazon ECS clusters associated with both Fargate and Amazon EC2 instances. The following equation represents this as: *(Healthy clusters/All clusters)\$1100* ### Considerations + The coverage statistics for the ECS cluster include the coverage status of the Fargate tasks or ECS container instances associated with that ECS cluster. The coverage status of the Fargate tasks include tasks that either are in running state or have recently finished running. + In the **ECS clusters runtime coverage** tab, the **Container instances covered** field indicates the coverage status of the container instances associated with your Amazon ECS cluster. If your Amazon ECS cluster contains only Fargate tasks, the count appears as **0/0**. + If your Amazon ECS cluster is associated with an Amazon EC2 instance that doesn't have a security agent, the Amazon ECS cluster will also have an **Unhealthy** coverage status. To identify and troubleshoot the coverage issue for the associated Amazon EC2 instance, see [Troubleshooting Amazon EC2 runtime coverage issues](gdu-assess-coverage-ec2.md#ec2-runtime-monitoring-coverage-issues-troubleshoot) for Amazon EC2 instances. Choose one of the access methods to review the coverage statistics for your accounts. ------ #### [ Console ] + Sign in to the Amazon Web Services Management Console and open the GuardDuty console at [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/). + In the navigation pane, choose **Runtime Monitoring**. + Choose the **Runtime coverage** tab. + Under the **ECS clusters runtime coverage** tab, you can view the coverage statistics aggregated by the coverage status of each Amazon ECS cluster that is available in the **Clusters list** table. + You can filter the **Cluster list** table by the following columns: + **Account ID** + **Cluster Name** + **Agent management type** + **Coverage status** + If any of your Amazon ECS clusters have the **Coverage status** as **Unhealthy**, the **Issue** column includes additional information about the reason for the **Unhealthy** status. If you Amazon ECS clusters are associated with an Amazon EC2 instance, navigate to the **EC2 instance runtime coverage** tab and filter by the **Cluster name** field to view the associated **Issue**. ------ #### [ API/CLI ] + Run the [ListCoverage](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListCoverage.html) API with your own valid detector ID, current Region, and service endpoint. You can filter and sort the instance list using this API. + You can change the example `filter-criteria` with one of the following options for `CriterionKey`: + `ACCOUNT_ID` + `ECS_CLUSTER_NAME` + `COVERAGE_STATUS` + `MANAGEMENT_TYPE` + You can change the example `AttributeName` in `sort-criteria` with the following options: + `ACCOUNT_ID` + `COVERAGE_STATUS` + `ISSUE` + `ECS_CLUSTER_NAME` + `UPDATED_AT` The field gets updated only when either a new task gets created in the associated Amazon ECS cluster or there is change in the corresponding coverage status. + You can change the *max-results* (up to 50). + To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. ``` aws guardduty --region us-east-1 list-coverage --detector-id 12abc34d567e8fa901bc2d34e56789f0 --sort-criteria '{"AttributeName": "ECS_CLUSTER_NAME", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"ACCOUNT_ID", "FilterCondition":{"EqualsValue":"111122223333"}}] }' --max-results 5 ``` + Run the [GetCoverageStatistics](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_GetCoverageStatistics.html) API to retrieve coverage aggregated statistics based on the `statisticsType`. + You can change the example `statisticsType` to one of the following options: + `COUNT_BY_COVERAGE_STATUS` – Represents coverage statistics for ECS clusters aggregated by coverage status. + `COUNT_BY_RESOURCE_TYPE` – Coverage statistics aggregated based on the type of Amazon resource in the list. + You can change the example `filter-criteria` in the command. You can use the following options for `CriterionKey`: + `ACCOUNT_ID` + `ECS_CLUSTER_NAME` + `COVERAGE_STATUS` + `MANAGEMENT_TYPE` + `INSTANCE_ID` + To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. ``` aws guardduty --region us-east-1 get-coverage-statistics --detector-id 12abc34d567e8fa901bc2d34e56789f0 --statistics-type COUNT_BY_COVERAGE_STATUS --filter-criteria '{"FilterCriterion":[{"CriterionKey":"ACCOUNT_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }' ``` ------ For more information about coverage issues, see [Troubleshooting Amazon ECS-Fargate runtime coverage issues](#ecs-runtime-monitoring-coverage-issues-troubleshoot). ## Coverage status change with EventBridge notifications The coverage status of your Amazon ECS cluster might appear as **Unhealthy**. To know when the coverage status changes, we recommend you to monitor the coverage status periodically, and troubleshoot if the status becomes **Unhealthy**. Alternatively, you can create an Amazon EventBridge rule to receive a notification when the coverage status changes from either **Unhealthy** to **Healthy** or otherwise. By default, GuardDuty publishes this in the [EventBridge bus](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-event-bus.html) for your account. ### Sample notification schema In an EventBridge rule, you can use the pre-defined sample events and event patterns to receive coverage status notification. For more information about creating an EventBridge rule, see [Create rule](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-get-started.html#eb-gs-create-rule) in the *Amazon EventBridge User Guide*. Additionally, you can create a custom event pattern by using the following example notification schema. Make sure to replace the values for your account. To get notified when the coverage status of your Amazon ECS cluster changes from `Healthy` to `Unhealthy`, the `detail-type` should be *GuardDuty Runtime Protection Unhealthy*. To get notified when the coverage status changes from `Unhealthy` to `Healthy`, replace the value of `detail-type` with *GuardDuty Runtime Protection Healthy*. ``` { "version": "0", "id": "event ID", "detail-type": "GuardDuty Runtime Protection Unhealthy", "source": "aws.guardduty", "account": "Amazon Web Services account ID", "time": "event timestamp (string)", "region": "Amazon Web Services Region", "resources": [ ], "detail": { "schemaVersion": "1.0", "resourceAccountId": "string", "currentStatus": "string", "previousStatus": "string", "resourceDetails": { "resourceType": "ECS", "ecsClusterDetails": { "clusterName":"", "fargateDetails":{ "issues":[], "managementType":"" }, "containerInstanceDetails":{ "coveredContainerInstances":int, "compatibleContainerInstances":int } } }, "issue": "string", "lastUpdatedAt": "timestamp" } } ``` ## Troubleshooting Amazon ECS-Fargate runtime coverage issues If the coverage status of your Amazon ECS cluster is **Unhealthy**, you can view the reason under the **Issue** column. The following table provides the recommended troubleshooting steps for Fargate (Amazon ECS only) issues. For information about Amazon EC2 instance coverage issues, see [Troubleshooting Amazon EC2 runtime coverage issues](gdu-assess-coverage-ec2.md#ec2-runtime-monitoring-coverage-issues-troubleshoot) for Amazon EC2 instances. [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/gdu-assess-coverage-ecs.html) # Runtime coverage and troubleshooting for Amazon EKS clusters Coverage and troubleshooting for Amazon EKS clusters After you enable Runtime Monitoring and install the GuardDuty security agent (add-on) for EKS either manually or through automated agent configuration, you can start assessing the coverage for your EKS clusters. **Topics** + [ ## Reviewing coverage statistics ](#reviewing-coverage-statistics-eks-runtime-monitoring) + [ ## Coverage status change with EventBridge notifications ](#eks-runtime-monitoring-coverage-status-change) + [ ## Troubleshooting Amazon EKS runtime coverage issues ](#eks-runtime-monitoring-coverage-issues-troubleshoot) ## Reviewing coverage statistics The coverage statistics for the EKS clusters associated with your own accounts or your member accounts is the percentage of the healthy EKS clusters over all EKS clusters in the selected Amazon Web Services Region. The following equation represents this as: *(Healthy clusters/All clusters)\$1100* Choose one of the access methods to review the coverage statistics for your accounts. ------ #### [ Console ] + Sign in to the Amazon Web Services Management Console and open the GuardDuty console at [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/). + In the navigation pane, choose **Runtime Monitoring**. + Choose the **EKS clusters runtime coverage** tab. + Under the **EKS clusters runtime coverage** tab, you can view the coverage statistics aggregated by the coverage status that is available in the **Clusters list** table. + You can filter the **Clusters list** table by the following columns: + **Cluster name** + **Account ID** + **Agent management type** + **Coverage status** + **Add-on version** + If any of your EKS clusters have the **Coverage status** as **Unhealthy**, the **Issue** column may include additional information about the reason for the **Unhealthy** status. ------ #### [ API/CLI ] + Run the [ListCoverage](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListCoverage.html) API with your own valid detector ID, Region, and service endpoint. You can filter and sort the cluster list using this API. + You can change the example `filter-criteria` with one of the following options for `CriterionKey`: + `ACCOUNT_ID` + `CLUSTER_NAME` + `RESOURCE_TYPE` + `COVERAGE_STATUS` + `ADDON_VERSION` + `MANAGEMENT_TYPE` + You can change the example `AttributeName` in `sort-criteria` with the following options: + `ACCOUNT_ID` + `CLUSTER_NAME` + `COVERAGE_STATUS` + `ISSUE` + `ADDON_VERSION` + `UPDATED_AT` + You can change the *max-results* (up to 50). + To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. ``` aws guardduty --region us-east-1 list-coverage --detector-id 12abc34d567e8fa901bc2d34e56789f0 --sort-criteria '{"AttributeName": "EKS_CLUSTER_NAME", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"ACCOUNT_ID", "FilterCondition":{"EqualsValue":"111122223333"}}] }' --max-results 5 ``` + Run the [GetCoverageStatistics](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_GetCoverageStatistics.html) API to retrieve coverage aggregated statistics based on the `statisticsType`. + You can change the example `statisticsType` to one of the following options: + `COUNT_BY_COVERAGE_STATUS` – Represents coverage statistics for EKS clusters aggregated by coverage status. + `COUNT_BY_RESOURCE_TYPE` – Coverage statistics aggregated based on the type of Amazon resource in the list. + You can change the example `filter-criteria` in the command. You can use the following options for `CriterionKey`: + `ACCOUNT_ID` + `CLUSTER_NAME` + `RESOURCE_TYPE` + `COVERAGE_STATUS` + `ADDON_VERSION` + `MANAGEMENT_TYPE` + To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.amazonaws.cn/guardduty/](https://console.amazonaws.cn/guardduty/) console, or run the [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_ListDetectors.html) API. ``` aws guardduty --region us-east-1 get-coverage-statistics --detector-id 12abc34d567e8fa901bc2d34e56789f0 --statistics-type COUNT_BY_COVERAGE_STATUS --filter-criteria '{"FilterCriterion":[{"CriterionKey":"ACCOUNT_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }' ``` ------ If the coverage status of your EKS cluster is **Unhealthy**, see [Troubleshooting Amazon EKS runtime coverage issues](#eks-runtime-monitoring-coverage-issues-troubleshoot). ## Coverage status change with EventBridge notifications The coverage status of an EKS cluster in your account may show up as **Unhealthy**. To detect when the coverage status becomes **Unhealthy**, we recommend you monitor the coverage status periodically and troubleshoot, if the status is **Unhealthy**. Alternatively, you can create an Amazon EventBridge rule to notify you when the coverage status changes from either `Unhealthy` to `Healthy` or otherwise. By default, GuardDuty publishes this in the [EventBridge bus](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-event-bus.html) for your account. ### Sample notification schema In an EventBridge rule, you can use the pre-defined sample events and event patterns to receive coverage status notification. For more information about creating an EventBridge rule, see [Create rule](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-get-started.html#eb-gs-create-rule) in the *Amazon EventBridge User Guide*. Additionally, you can create a custom event pattern by using the following example notification schema. Make sure to replace the values for your account. To get notified when the coverage status of your Amazon EKS cluster changes from `Healthy` to `Unhealthy`, the `detail-type` should be *GuardDuty Runtime Protection Unhealthy*. To get notified when the coverage status changes from `Unhealthy` to `Healthy`, replace the value of `detail-type` with *GuardDuty Runtime Protection Healthy*. ``` { "version": "0", "id": "event ID", "detail-type": "GuardDuty Runtime Protection Unhealthy", "source": "aws.guardduty", "account": "Amazon Web Services account ID", "time": "event timestamp (string)", "region": "Amazon Web Services Region", "resources": [ ], "detail": { "schemaVersion": "1.0", "resourceAccountId": "string", "currentStatus": "string", "previousStatus": "string", "resourceDetails": { "resourceType": "EKS", "eksClusterDetails": { "clusterName": "string", "availableNodes": "string", "desiredNodes": "string", "addonVersion": "string" } }, "issue": "string", "lastUpdatedAt": "timestamp" } } ``` ## Troubleshooting Amazon EKS runtime coverage issues If the coverage status for your EKS cluster is `Unhealthy`, you can view the corresponding error either under the **Issue** column in the GuardDuty console, or by using the [CoverageResource](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_CoverageResource.html) data type. When working with inclusion or exclusion tags for monitoring your EKS clusters selectively, it may take some time for the tags to sync. This may impact the coverage status of the associated EKS cluster. You can try removing and adding the corresponding tag (inclusion or exclusion) again. For more information, see [Tagging your Amazon EKS resources](https://docs.amazonaws.cn/eks/latest/userguide/eks-using-tags.html) in the **Amazon EKS User Guide**. The structure of a coverage issue is `Issue type:Extra information`. Typically, the issues will have an optional *Extra information* that may include specific client-side exception or description about the issue. Based on *Extra information*, the following tables provide the recommended steps to troubleshoot the coverage issues for your EKS clusters. [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-coverage.html) **Troubleshooting steps for Addon creation/updation error with Addon issue code** [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/eks-runtime-monitoring-coverage.html)