Configuring EKS Runtime Monitoring for multiple-account environments (API) - Amazon GuardDuty

Configuring EKS Runtime Monitoring for multiple-account environments (API)

In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable EKS Runtime Monitoring for the member accounts, and manage GuardDuty agent management for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using AWS Organizations. For more information about multi-account environments, see Managing multiple accounts.

This section provides steps to configure EKS Runtime Monitoring and manage the GuardDuty security agent for the EKS clusters that belong to the delegated GuardDuty administrator account.

Based on the Approaches to manage GuardDuty security agent in Amazon EKS clusters, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] }]'

Manage the security agent manually

  1. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

This section includes steps to enable EKS Runtime Monitoring and manage security agent for all member accounts. This includes the delegated GuardDuty administrator account, existing member accounts, and the new accounts that join the organization.

Based on the Approaches to manage GuardDuty security agent in Amazon EKS clusters, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] }]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] } ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

This section includes the steps to enable EKS Runtime Monitoring and manage GuardDuty security agent for existing active member accounts in your organization.

Based on the Approaches to manage GuardDuty security agent in Amazon EKS clusters, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] }]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] } ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

The delegated GuardDuty administrator account can auto-enable EKS Runtime Monitoring and choose an approach for how to manage the GuardDuty security agent for new accounts that join your organization.

Based on the Approaches to manage GuardDuty security agent in Amazon EKS clusters, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] }]'

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] }]'

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] }]'

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] }]'

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

This section includes the steps to configure EKS Runtime Monitoring and manage security agent for individual active member accounts.

Based on the Approaches to manage GuardDuty security agent in Amazon EKS clusters, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] }]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] } ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.