Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Frequently asked questions (FAQs)

The following list provides the troubleshooting steps to the frequently asked questions when using a shared VPC resource with GuardDuty automated agent configuration enabled in Runtime Monitoring:

I am already using Runtime Monitoring (or EKS Runtime Monitoring). How do I enable shared VPC?

For information about prerequisites to create a shared VPC, see Prerequisites.

When both the shared VPC owner account and the participant account have met the prerequisites, GuardDuty will attempt to set the Amazon VPC endpoint policy automatically.

If prior to this release, your Amazon Web Services account experienced a coverage issue about the shared VPC not being supported, follow the prerequisites. When your resource type (Amazon EKS or Amazon ECS (Amazon Fargate only) task) invokes the requirement of a shared VPC endpoint, GuardDuty will attempt to set the new VPC endpoint policy.

As a shared VPC owner account, I want the shared VPC endpoint policy to be restricted to a subset of participant accounts in my organization. How can I do that?

If you have a GuardDutyManaged:true tag associated with the endpoint, remove it. This prevents GuardDuty to attempt modifying or overriding the VPC endpoint policy of the shared VPC.

For more information, see Control access to VPC endpoints using endpoint policies.

Why does the shared VPC endpoint modify from aws:PrincipalAccount to aws:PrincipalOrgId? How can I prevent that?

When GuardDuty detects that the VPC is shared by multiple accounts of the same organization in Amazon Organizations, GuardDuty attempts to modify the policy to specify the organization ID.

To prevent this, remove the GuardDutyManaged:true tag from the shared VPC endpoint. This prevents GuardDuty to attempt modifying or overriding the VPC endpoint policy of the shared VPC.

What happens when the shared VPC owner account or one of the participant accounts disables GuardDuty or Runtime Monitoring (or EKS Runtime Monitoring)?

When the shared VPC owner account disables GuardDuty or Runtime Monitoring (or EKS Runtime Monitoring), GuardDuty checks whether any resource type belonging to the participant account has used the shared VPC endpoint or any participant account has ever enabled GuardDuty agent management for any resource type. If yes, GuardDuty won't delete the VPC endpoint and the security group.

If the shared VPC participant account disables GuardDuty or Runtime Monitoring (or EKS Runtime Monitoring), then there is no impact on the shared VPC owner account and the owner account will neither delete the shared VPC resource nor the security group.

How can I delete the shared VPC resource? What will be its impact?

As a shared VPC owner account, you can delete the shared VPC resource even when it is being used by your account or any of the participating accounts in Runtime Monitoring. For information about deleting the shared VPC and understanding its impact, see To delete a VPC endpoint.