Configuring EKS Runtime Monitoring (API only)
Before configuring EKS Runtime Monitoring in your account, make sure that you're using one of the verified platforms that supports the Kubernetes version that is presently in use. For more, see Validating architectural requirements.
GuardDuty has consolidated the console experience for EKS Runtime Monitoring into Runtime Monitoring. GuardDuty recommends Checking EKS Runtime Monitoring configuration status and Migrating from EKS Runtime Monitoring to Runtime Monitoring.
As a part of migrating to Runtime Monitoring, ensure to Disable EKS Runtime Monitoring. This is important because if you later choose to disable Runtime Monitoring and you do not disable EKS Runtime Monitoring, you will continue incurring usage cost for EKS Runtime Monitoring.
Configuring EKS Runtime Monitoring for a standalone account
For the accounts associated with AWS Organizations, see Configuring EKS Runtime Monitoring for multiple-account environments.
Choose your preferred access method to enable EKS Runtime Monitoring for your account.
- API/CLI
-
Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.
-
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'
Monitor all EKS clusters but exclude some of them (using exclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-false
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Note
Always add the exclusion tag to your EKS cluster before setting the
STATUS
ofEKS_RUNTIME_MONITORING
toENABLED
; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'
Monitor selective EKS clusters (using inclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-true
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the
GuardDutyManaged
-true
pair.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED
"}] ]'
Manage the security agent manually
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED
"}] ]' -
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
Configuring EKS Runtime Monitoring for multiple-account environments
In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable EKS Runtime Monitoring for the member accounts, and manage GuardDuty agent management for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using AWS Organizations. For more information about multi-account environments, see Managing multiple accounts.
Choose your preferred access method to enable EKS Runtime Monitoring and manage the GuardDuty security agent for the EKS clusters that belong to the delegated GuardDuty administrator account.
- API/CLI
-
Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Monitor all EKS clusters but exclude some of them (using exclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-false
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Note
Always add the exclusion tag to your EKS cluster before setting the
STATUS
ofEKS_RUNTIME_MONITORING
toENABLED
; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'
Monitor selective EKS clusters (using inclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-true
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the
GuardDutyManaged
-true
pair.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED
"}] ]'
Manage the security agent manually
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-detector --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids555555555555
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] }]' -
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
Choose your preferred access method to enable EKS Runtime Monitoring for all member accounts. This includes the delegated GuardDuty administrator account, existing member accounts, and the new accounts that join the organization. Choose your preferred approach to manage GuardDuty security agent for the EKS clusters that belong to these member accounts.
- API/CLI
-
Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.Monitor all EKS clusters but exclude some of them (using exclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-false
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Note
Always add the exclusion tag to your EKS cluster before setting the
STATUS
ofEKS_RUNTIME_MONITORING
toENABLED
; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Monitor selective EKS clusters (using inclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-true
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the
GuardDutyManaged
-true
pair.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Manage the security agent manually
-
Run the updateDetector API by using your own regional detector ID and passing the
features
object name asEKS_RUNTIME_MONITORING
and status asENABLED
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids555555555555
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] } ]' -
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
Choose your preferred access method to enable EKS Runtime Monitoring and manage GuardDuty security agent for existing active member accounts in your organization.
- API/CLI
-
Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.Monitor all EKS clusters but exclude some of them (using exclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-false
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Note
Always add the exclusion tag to your EKS cluster before setting the
STATUS
ofEKS_RUNTIME_MONITORING
toENABLED
; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Monitor selective EKS clusters (using inclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-true
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the
GuardDutyManaged
-true
pair.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Manage the security agent manually
-
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids555555555555
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] } ]' -
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
The delegated GuardDuty administrator account can auto-enable EKS Runtime Monitoring and choose an approach for how to manage the GuardDuty security agent for new accounts that join your organization.
- API/CLI
-
Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)
To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
for a single account. You can also pass a list of account IDs separated by a space.To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API aws guardduty update-organization-configuration --detector-id
12abc34d567e8fa901bc2d34e56789f0
--autoEnable --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.Monitor all EKS clusters but exclude some of them (using exclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-false
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Note
Always add the exclusion tag to your EKS cluster before setting the
STATUS
ofEKS_RUNTIME_MONITORING
toENABLED
; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
for a single account. You can also pass a list of account IDs separated by a space.To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API aws guardduty update-organization-configuration --detector-id
12abc34d567e8fa901bc2d34e56789f0
--autoEnable --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Monitor selective EKS clusters (using inclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-true
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the
GuardDutyManaged
-true
pair.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
for a single account. You can also pass a list of account IDs separated by a space.To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API aws guardduty update-organization-configuration --detector-id
12abc34d567e8fa901bc2d34e56789f0
--autoEnable --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Manage the security agent manually
-
To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
for a single account. You can also pass a list of account IDs separated by a space.To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API aws guardduty update-organization-configuration --detector-id
12abc34d567e8fa901bc2d34e56789f0
--autoEnable --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue. -
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-
- API/CLI
-
Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.
Preferred approach to manage GuardDuty security agent
Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.Monitor all EKS clusters but exclude some of them (using exclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-false
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
Note
Always add the exclusion tag to your EKS cluster before setting the
STATUS
ofEKS_RUNTIME_MONITORING
toENABLED
; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asENABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.
Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables both
EKS_RUNTIME_MONITORING
andEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Monitor selective EKS clusters (using inclusion tag)
-
Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is
GuardDutyManaged
-true
. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:
-
Replace
ec2:CreateTags
witheks:TagResource
. -
Replace
ec2:DeleteTags
witheks:UntagResource
. -
Replace
access-project
withGuardDutyManaged
-
Replace
123456789012
with the AWS account ID of the trusted entity.When you have more than one trusted entities, use the following example to add multiple
PrincipalArn
:"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
-
-
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the
GuardDutyManaged
-true
pair.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids111122223333
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED
"}] ]'Note
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.
Manage the security agent manually
-
To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own
detector ID
.Set the status for
EKS_ADDON_MANAGEMENT
asDISABLED
.Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the
detectorId
for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/console, or run the ListDetectors API The following example enables
EKS_RUNTIME_MONITORING
and disablesEKS_ADDON_MANAGEMENT
:aws guardduty update-member-detectors --detector-id
12abc34d567e8fa901bc2d34e56789f0
--account-ids555555555555
--features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED
", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED
"}] } ]' -
To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
-