本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
管理 Fargate 的自动安全代理(仅限亚马逊 ECS)
为独立账户配置 GuardDuty 代理
目前,运行时监控仅支持通过管理您的 Amazon ECS 集群 (Amazon Fargate) 的安全代理 GuardDuty。不支持在 Amazon ECS 集群上手动管理安全代理。
- Console
-
登录 Amazon Web Services Management Console 并打开 GuardDuty 控制台,网址为 https://console.aws.amazon.com/guardduty/
。 -
在导航窗格中,选择 “运行时监控”。
-
在 “配置” 选项卡下:
-
管理所有 Amazon ECS 集群的自动代理配置(账户级别)
在 “自动代理配置” 部分中选择 “启用” Amazon Fargate (仅限 ECS)。当新的 Fargate Amazon ECS 任务启动时, GuardDuty 将管理安全代理的部署。
-
选择保存。
-
-
通过排除某些 Amazon ECS 集群来管理自动代理配置(集群级别)
-
向要排除其所有任务的 Amazon ECS 集群添加标签。键值对必须是
GuardDutyManaged
-。false
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
-
在 “配置” 选项卡下,在 “自动代理配置” 部分中选择 “启用”。
注意
在为您的账户启用 GuardDuty 代理自动管理之前,请务必将排除标签添加到您的 Amazon ECS 集群;否则,将在相应的 Amazon ECS 集群内启动的所有任务中部署安全代理。
对于尚未排除的 Amazon ECS 集群, GuardDuty 将管理边车容器中安全代理的部署。
-
选择保存。
-
-
通过包含一些 Amazon ECS 集群来管理自动代理配置(集群级别)
-
向要包含其所有任务的 Amazon ECS 集群添加标签。键值对必须是
GuardDutyManaged
-。true
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
-
-
为多账户环境配置 GuardDuty 代理
在多账户环境中,只有委派的 GuardDuty 管理员账户才能启用或禁用成员账户的自动代理配置,以及管理属于其组织中成员账户的 Amazon ECS 集群的自动代理配置。 GuardDuty成员账户无法修改此配置。委托 GuardDuty 管理员账户使用管理其成员账户 Amazon Organizations。有关多账户环境的更多信息,请参阅中的管理多个账户。 GuardDuty
为委派的 GuardDuty 管理员账户启用自动代理配置
- Manage for all Amazon ECS clusters (account level)
-
如果您选择 “为所有帐户启用运行时监控”,则有以下选项:
-
在 “自动代理配置” 部分为所有账户选择 “启用”。 GuardDuty 将为所有已启动的 Amazon ECS 任务部署和管理安全代理。
-
选择手动配置账户。
如果您在 “运行时监控” 部分选择了 “手动配置帐户”,请执行以下操作:
-
在 “自动代理配置” 部分中选择 “手动配置帐户”。
-
在 “委派 GuardDuty 管理员账户(此账户)” 部分选择 “启用”。
选择保存。
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
向此 Amazon ECS 集群添加一个标签,键值对为
GuardDutyManaged
-。false
-
禁止修改标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
打开 GuardDuty 控制台,网址为 https://console.aws.amazon.com/guardduty/
。 -
在导航窗格中,选择 “运行时监控”。
-
注意
在为您的账户启用自动代理配置之前,请务必将排除标签添加到您的 Amazon ECS 集群;否则,s GuardDuty idecar 容器将附加到已启动的 Amazon ECS 任务中的所有容器上。
在 “配置” 选项卡下,在 “自动代理配置” 中选择 “启用”。
对于尚未排除的 Amazon ECS 集群, GuardDuty 将管理边车容器中安全代理的部署。
-
选择保存。
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
向要包含其所有任务的 Amazon ECS 集群添加标签。键值对必须是
GuardDutyManaged
-。true
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
注意
在 Amazon ECS 集群中使用包含标签时,您无需通过自动 GuardDuty 代理配置明确启用代理。
-
为所有成员账户自动启用
- Manage for all Amazon ECS clusters (account level)
-
以下步骤假设您在 “运行时监控” 部分为所有帐户选择了 “启用”。
-
在 “自动代理配置” 部分为所有账户选择 “启用”。 GuardDuty 将为所有已启动的 Amazon ECS 任务部署和管理安全代理。
-
选择保存。
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
向此 Amazon ECS 集群添加一个标签,键值对为
GuardDutyManaged
-。false
-
禁止修改标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
打开 GuardDuty 控制台,网址为 https://console.aws.amazon.com/guardduty/
。 -
在导航窗格中,选择 “运行时监控”。
-
注意
在为您的账户启用自动代理配置之前,请务必将排除标签添加到您的 Amazon ECS 集群;否则,s GuardDuty idecar 容器将附加到已启动的 Amazon ECS 任务中的所有容器上。
在 “配置” 选项卡下,选择 “编辑”。
-
在 “自动代理配置” 部分为所有账户选择 “启用”
对于尚未排除的 Amazon ECS 集群, GuardDuty 将管理边车容器中安全代理的部署。
-
选择保存。
-
- Manage for selective (inclusion-only) Amazon ECS clusters (cluster level)
-
无论您选择如何启用运行时监控,以下步骤都将帮助您监控组织中所有成员账户的精选 Amazon ECS Fargate 任务。
-
请勿在 “自动代理配置” 部分启用任何配置。保持运行时监控配置与您在上一步中选择的配置相同。
-
选择保存。
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
注意
在 Amazon ECS 集群中使用包含标签时,您无需明确启用GuardDuty 代理自动管理。
-
为现有活跃成员账户启用自动代理配置
- Manage for all Amazon ECS clusters (account level)
-
-
在 “运行时监控” 页面的 “配置” 选项卡下,您可以查看自动代理配置的当前状态。
-
在自动代理配置窗格中,在 “活跃成员帐户” 部分下,选择操作。
-
在操作中,选择为所有现有活跃成员账户启用。
-
选择确认。
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
向此 Amazon ECS 集群添加一个标签,键值对为
GuardDutyManaged
-。false
-
禁止修改标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
打开 GuardDuty 控制台,网址为 https://console.aws.amazon.com/guardduty/
。 -
在导航窗格中,选择 “运行时监控”。
-
注意
在为您的账户启用自动代理配置之前,请务必将排除标签添加到您的 Amazon ECS 集群;否则,s GuardDuty idecar 容器将附加到已启动的 Amazon ECS 任务中的所有容器上。
在 “配置” 选项卡下,在 “自动代理配置” 部分的 “活跃成员帐户” 下,选择 “操作”。
-
在操作中,选择为所有活跃成员账户启用。
对于尚未排除的 Amazon ECS 集群, GuardDuty 将管理边车容器中安全代理的部署。
-
选择确认。
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
向要包含其所有任务的 Amazon ECS 集群添加标签。键值对必须是
GuardDutyManaged
-。true
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
注意
在 Amazon ECS 集群中使用包含标签时,您无需明确启用自动代理配置。
-
自动启用新成员的自动代理配置
- Manage for all Amazon ECS clusters (account level)
-
-
在 “运行时监控” 页面上,选择 “编辑” 以更新现有配置。
-
在 “自动代理配置” 部分,选择 “为新成员账户自动启用”。
-
选择保存。
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
向此 Amazon ECS 集群添加一个标签,键值对为
GuardDutyManaged
-。false
-
禁止修改标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
打开 GuardDuty 控制台,网址为 https://console.aws.amazon.com/guardduty/
。 -
在导航窗格中,选择 “运行时监控”。
-
注意
在为您的账户启用自动代理配置之前,请务必将排除标签添加到您的 Amazon ECS 集群;否则,s GuardDuty idecar 容器将附加到已启动的 Amazon ECS 任务中的所有容器上。
在 “配置” 选项卡下,在 “自动代理配置” 部分中,选择 “自动为新成员帐户启用”。
对于尚未排除的 Amazon ECS 集群, GuardDuty 将管理边车容器中安全代理的部署。
-
选择保存。
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
向要包含其所有任务的 Amazon ECS 集群添加标签。键值对必须是
GuardDutyManaged
-。true
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
注意
在 Amazon ECS 集群中使用包含标签时,您无需明确启用自动代理配置。
-
有选择地为活跃成员账户启用自动代理配置
- Manage for all Amazon ECS (account level)
-
-
在 “帐户” 页面上,选择要为其启用运行时监控-自动代理配置 (ECS-Fargate) 的帐户。您可以选择多个帐户。确保您在此步骤中选择的帐户已启用运行时监控。
-
从编辑保护计划中,选择相应的选项以启用运行时监控-自动代理配置 (ECS-Fargat e)。
-
选择确认。
-
- Manage for all Amazon ECS clusters but exclude some of the clusters (cluster level)
-
-
向此 Amazon ECS 集群添加一个标签,键值对为
GuardDutyManaged
-。false
-
禁止修改标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
打开 GuardDuty 控制台,网址为 https://console.aws.amazon.com/guardduty/
。 -
在导航窗格中,选择 “运行时监控”。
-
注意
在为您的账户启用 GuardDuty 代理自动管理之前,请务必将排除标签添加到您的 Amazon ECS 集群;否则,s GuardDuty idecar 容器将附加到已启动的 Amazon ECS 任务中的所有容器上。
在 “帐户” 页面上,选择要为其启用运行时监控-自动代理配置 (ECS-Fargate) 的帐户。您可以选择多个帐户。确保您在此步骤中选择的帐户已启用运行时监控。
对于尚未排除的 Amazon ECS 集群, GuardDuty 将管理边车容器中安全代理的部署。
-
从编辑保护计划中,选择相应的选项以启用运行时监控-自动代理配置 (ECS-Fargat e)。
-
选择保存。
-
- Manage for selective (inclusion only) Amazon ECS clusters (cluster level)
-
-
确保不要为拥有要监控的 Amazon ECS 集群的选定账户启用自动代理配置(或运行时监控-自动代理配置 (ECS-Fargate))。
-
向要包含其所有任务的 Amazon ECS 集群添加标签。键值对必须是
GuardDutyManaged
-。true
-
禁止修改这些标签,但可信实体除外。《Amazon Organizations 用户指南》中除授权原则外,禁止修改标签中提供的政策已修改为适用于此处。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "ecs:ResourceTag/GuardDutyManaged": false } } }, { "Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}", "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ "GuardDutyManaged" ] } } }, { "Sid": "DenyModifyTagsIfPrinTagNotExists", "Effect": "Deny", "Action": [ "ecs:CreateTags", "ecs:DeleteTags" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin" }, "Null": { "aws:PrincipalTag/GuardDutyManaged": true } } } ] }
注意
在 Amazon ECS 集群中使用包含标签时,您无需明确启用自动代理配置。
-