Installing the security agent manually

Focus mode

Installing the security agent manually - Amazon GuardDuty

Out of memory error Validating GuardDuty security agent installation status

GuardDuty provides the following two methods to install the GuardDuty security agent on your Amazon EC2 instances. Before proceeding, make sure to follow the steps under Prerequisite – Creating Amazon VPC endpoint manually.

Choose a preferred access method to install the security agent in your Amazon EC2 resources.

Method 1 - Using AWS Systems Manager – This method requires your Amazon EC2 instance to be AWS Systems Manager managed.
Method 2 - Using Linux Package Managers – You can use this method whether or not your Amazon EC2 instances are AWS Systems Manager managed. Based on your OS distributions, you can choose an appropriate method to install either RPM scripts or Debian scripts. If you use Fedora platform, then you must use this method to install the agent.

To use this method, make sure that your Amazon EC2 instances are AWS Systems Manager managed and then install the agent.

AWS Systems Manager managed Amazon EC2 instance

Use the following steps to make your Amazon EC2 instances AWS Systems Manager managed.

AWS Systems Manager helps you manage your AWS applications and resources end-to-end and enable secure operations at scale.

To manage your Amazon EC2 instances with AWS Systems Manager, see Setting up Systems Manager for Amazon EC2 instances in the AWS Systems Manager User Guide.

The following table shows the new GuardDuty managed AWS Systems Manager documents:

Document name	Document type	Purpose
`AmazonGuardDuty-RuntimeMonitoringSsmPlugin`	Distributor	To package the GuardDuty security agent.
`AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin`	Command	To run installation/un-installation script to install the GuardDuty security agent.

For more information about AWS Systems Manager, see Amazon EC2 Systems Manager Documents in the AWS Systems Manager User Guide.

For Debian Servers

The Amazon Machine Images (AMIs) for Debian Server provided by AWS require you to install the AWS Systems Manager agent (SSM agent). You will need to perform an additional step to install the SSM agent to make your Amazon EC2 Debian Server instances SSM managed. For information about steps that you need to take, see Manually installing SSM agent on Debian Server instances in the AWS Systems Manager User Guide.

To install the GuardDuty agent for Amazon EC2 instance by using AWS Systems Manager

Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the navigation pane, choose Documents
In Owned by Amazon, choose AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin.
Choose Run Command.
Enter the following Run Command parameters
- Action: Choose Install.
- Installation Type: Choose Install or Uninstall.
- Name: AmazonGuardDuty-RuntimeMonitoringSsmPlugin
- Version: If this remains empty, you'll get latest version of the GuardDuty security agent. For more information about the release versions, GuardDuty security agent versions for Amazon EC2 instances.
Select the targeted Amazon EC2 instance. You can select one or more Amazon EC2 instances. For more information, see AWS Systems Manager Running commands from the console in the AWS Systems Manager User Guide
Validate if the GuardDuty agent installation is healthy. For more information, see Validating GuardDuty security agent installation status.

Method 1 - Using AWS Systems Manager

To use this method, make sure that your Amazon EC2 instances are AWS Systems Manager managed and then install the agent.

AWS Systems Manager managed Amazon EC2 instance

Use the following steps to make your Amazon EC2 instances AWS Systems Manager managed.

AWS Systems Manager helps you manage your AWS applications and resources end-to-end and enable secure operations at scale.

To manage your Amazon EC2 instances with AWS Systems Manager, see Setting up Systems Manager for Amazon EC2 instances in the AWS Systems Manager User Guide.

The following table shows the new GuardDuty managed AWS Systems Manager documents:

Document name	Document type	Purpose
`AmazonGuardDuty-RuntimeMonitoringSsmPlugin`	Distributor	To package the GuardDuty security agent.
`AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin`	Command	To run installation/un-installation script to install the GuardDuty security agent.

For more information about AWS Systems Manager, see Amazon EC2 Systems Manager Documents in the AWS Systems Manager User Guide.

For Debian Servers

To install the GuardDuty agent for Amazon EC2 instance by using AWS Systems Manager

Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the navigation pane, choose Documents
In Owned by Amazon, choose AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin.
Choose Run Command.
Enter the following Run Command parameters
- Action: Choose Install.
- Installation Type: Choose Install or Uninstall.
- Name: AmazonGuardDuty-RuntimeMonitoringSsmPlugin
- Version: If this remains empty, you'll get latest version of the GuardDuty security agent. For more information about the release versions, GuardDuty security agent versions for Amazon EC2 instances.
Select the targeted Amazon EC2 instance. You can select one or more Amazon EC2 instances. For more information, see AWS Systems Manager Running commands from the console in the AWS Systems Manager User Guide
Validate if the GuardDuty agent installation is healthy. For more information, see Validating GuardDuty security agent installation status.

With this method, you can install the GuardDuty security agent by running RPM scripts or Debian scripts. Based on the operating systems, you can choose a preferred method:

Use RPM scripts to install the security agent on OS distributions AL2, AL2023, RedHat, CentOS, or Fedora.
Use Debian scripts to install the security agent on OS distributions Ubuntu or Debian. For information about supported Ubuntu and Debian OS distributions, see Validating architectural requirements.

RPM installation

Important

We recommend verifying the GuardDuty security agent RPM signature before installing it on your machine.

Verify the GuardDuty security agent RPM signature

Prepare the template

Prepare the commands with appropriate public key, signature of x86_64 RPM, signature of arm64 RPM, and the corresponding access link to the RPM scripts hosted in Amazon S3 buckets. Replace the value of the AWS Region, AWS account ID, and the GuardDuty agent version to access the RPM scripts.

Public key:


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/publickey.pem

GuardDuty security agent RPM signature:

Signature of x86_64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.sig

Signature of arm64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.sig

Access links to the RPM scripts in Amazon S3 bucket:

Access link for x86_64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.rpm

Access link for arm64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.rpm

AWS Region	Region name	AWS account ID
`eu-west-1`	Europe (Ireland)	694911143906
`us-east-1`	US East (N. Virginia)	593207742271
`us-west-2`	US West (Oregon)	733349766148
`eu-west-3`	Europe (Paris)	665651866788
`us-east-2`	US East (Ohio)	307168627858
`eu-central-1`	Europe (Frankfurt)	323658145986
`ap-northeast-2`	Asia Pacific (Seoul)	914738172881
`eu-north-1`	Europe (Stockholm)	591436053604
`ap-east-1`	Asia Pacific (Hong Kong)	258348409381
`me-south-1`	Middle East (Bahrain)	536382113932
`eu-west-2`	Europe (London)	892757235363
`ap-northeast-1`	Asia Pacific (Tokyo)	533107202818
`ap-southeast-1`	Asia Pacific (Singapore)	174946120834
`ap-south-1`	Asia Pacific (Mumbai)	251508486986
`ap-southeast-3`	Asia Pacific (Jakarta)	510637619217
`sa-east-1`	South America (São Paulo)	758426053663
`ap-northeast-3`	Asia Pacific (Osaka)	273192626886
`eu-south-1`	Europe (Milan)	266869475730
`af-south-1`	Africa (Cape Town)	197869348890
`ap-southeast-2`	Asia Pacific (Sydney)	005257825471
`me-central-1`	Middle East (UAE)	000014521398
`us-west-1`	US West (N. California)	684579721401
`ca-central-1`	Canada (Central)	354763396469
`ca-west-1`	Canada West (Calgary)	339712888787
`ap-south-2`	Asia Pacific (Hyderabad)	950823858135
`eu-south-2`	Europe (Spain)	919611009337
`eu-central-2`	Europe (Zurich)	529164026651
`ap-southeast-4`	Asia Pacific (Melbourne)	251357961535
`il-central-1`	Israel (Tel Aviv)	870907303882

Download the template

In the following command to download appropriate public key, signature of x86_64 RPM, signature of arm64 RPM, and the corresponding access link to the RPM scripts hosted in Amazon S3 buckets, make sure to replace the account ID with the appropriate AWS account ID and the Region with your current Region.
```
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.rpm ./amazon-guardduty-agent-1.6.0.x86_64.rpm
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.sig ./amazon-guardduty-agent-1.6.0.x86_64.sig
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/publickey.pem ./publickey.pem
```
Import the public key

Use the following command to import the public key to the database:
```
gpg --import publickey.pem
```
gpg shows import successfully
```
gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
```
Verify the signature

Use the following command to verify the signature
```
gpg --verify amazon-guardduty-agent-1.6.0.x86_64.sig amazon-guardduty-agent-1.6.0.x86_64.rpm
```
If verification passes, you will see a message similar to the result below. You can now proceed to install the GuardDuty security agent using RPM.

Example output:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456  7603 06C9 06A7 093F F49D
```
If verification fails, it means the signature on RPM has been potentially tampered. You must remove the public key from the database and retry the verification process.

Example:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
```
Use the following command to remove the public key from the database:
```
gpg --delete-keys AwsGuardDuty
```
Now, try the verification process again.

Connect with SSH from Linux or macOS.
Install the GuardDuty security agent by using the following command:
```
sudo rpm -ivh amazon-guardduty-agent-1.6.0.x86_64.rpm
```
Validate if the GuardDuty agent installation is healthy. For more information about the steps, see Validating GuardDuty security agent installation status.

Debian installation

Important

We recommend verifying the GuardDuty security agent Debian signature before installing it on your machine.

Verify the GuardDuty security agent Debian signature

Prepare templates for the appropriate public key, signature of amd64 Debian package, signature of arm64 Debian package, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

In the following templates, replace the value of the AWS Region, AWS account ID, and the GuardDuty agent version to access the Debian package scripts.

Public key:


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/publickey.pem

GuardDuty security agent Debian signature:

Signature of amd64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.sig

Signature of arm64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.sig

Access links to the Debian scripts in Amazon S3 bucket:

Access link for amd64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.deb

Access link for arm64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.deb

AWS Region	Region name	AWS account ID
`eu-west-1`	Europe (Ireland)	694911143906
`us-east-1`	US East (N. Virginia)	593207742271
`us-west-2`	US West (Oregon)	733349766148
`eu-west-3`	Europe (Paris)	665651866788
`us-east-2`	US East (Ohio)	307168627858
`eu-central-1`	Europe (Frankfurt)	323658145986
`ap-northeast-2`	Asia Pacific (Seoul)	914738172881
`eu-north-1`	Europe (Stockholm)	591436053604
`ap-east-1`	Asia Pacific (Hong Kong)	258348409381
`me-south-1`	Middle East (Bahrain)	536382113932
`eu-west-2`	Europe (London)	892757235363
`ap-northeast-1`	Asia Pacific (Tokyo)	533107202818
`ap-southeast-1`	Asia Pacific (Singapore)	174946120834
`ap-south-1`	Asia Pacific (Mumbai)	251508486986
`ap-southeast-3`	Asia Pacific (Jakarta)	510637619217
`sa-east-1`	South America (São Paulo)	758426053663
`ap-northeast-3`	Asia Pacific (Osaka)	273192626886
`eu-south-1`	Europe (Milan)	266869475730
`af-south-1`	Africa (Cape Town)	197869348890
`ap-southeast-2`	Asia Pacific (Sydney)	005257825471
`me-central-1`	Middle East (UAE)	000014521398
`us-west-1`	US West (N. California)	684579721401
`ca-central-1`	Canada (Central)	354763396469
`ca-west-1`	Canada West (Calgary)	339712888787
`ap-south-2`	Asia Pacific (Hyderabad)	950823858135
`eu-south-2`	Europe (Spain)	919611009337
`eu-central-2`	Europe (Zurich)	529164026651
`ap-southeast-4`	Asia Pacific (Melbourne)	251357961535
`il-central-1`	Israel (Tel Aviv)	870907303882

Download the download appropriate public key, signature of amd64, signature of arm64, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

In the following commands, replace the account ID with the appropriate AWS account ID, and the Region with your current Region.
```
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.deb ./amazon-guardduty-agent-1.6.0.amd64.deb
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.sig ./amazon-guardduty-agent-1.6.0.amd64.sig
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/publickey.pem ./publickey.pem
```

Import the public key to the database


gpg --import publickey.pem

gpg shows import successfully


gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Verify the signature
```
gpg --verify amazon-guardduty-agent-1.6.0.amd64.sig amazon-guardduty-agent-1.6.0.amd64.deb
```
After a successful verification, you will see a message similar to the following result:

Example output:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456  7603 06C9 06A7 093F F49D
```
You can now proceed to install the GuardDuty security agent using Debian.

However, if verification fails, it means the signature in Debian package has been potentially tampered.

Example:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
```
Use the following command to remove the public key from the database:
```
gpg --delete-keys AwsGuardDuty
```
Now, retry the verification process.

Connect with SSH from Linux or macOS.
Install the GuardDuty security agent by using the following command:
```
sudo dpkg -i amazon-guardduty-agent-1.6.0.amd64.deb
```
Validate if the GuardDuty agent installation is healthy. For more information about the steps, see Validating GuardDuty security agent installation status.

Method 2 - Using Linux Package Managers

With this method, you can install the GuardDuty security agent by running RPM scripts or Debian scripts. Based on the operating systems, you can choose a preferred method:

Use RPM scripts to install the security agent on OS distributions AL2, AL2023, RedHat, CentOS, or Fedora.
Use Debian scripts to install the security agent on OS distributions Ubuntu or Debian. For information about supported Ubuntu and Debian OS distributions, see Validating architectural requirements.

RPM installation

Important

We recommend verifying the GuardDuty security agent RPM signature before installing it on your machine.

Verify the GuardDuty security agent RPM signature

Prepare the template

Public key:


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/publickey.pem

GuardDuty security agent RPM signature:

Signature of x86_64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.sig

Signature of arm64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.sig

Access links to the RPM scripts in Amazon S3 bucket:

Access link for x86_64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.rpm

Access link for arm64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.rpm

AWS Region	Region name	AWS account ID
`eu-west-1`	Europe (Ireland)	694911143906
`us-east-1`	US East (N. Virginia)	593207742271
`us-west-2`	US West (Oregon)	733349766148
`eu-west-3`	Europe (Paris)	665651866788
`us-east-2`	US East (Ohio)	307168627858
`eu-central-1`	Europe (Frankfurt)	323658145986
`ap-northeast-2`	Asia Pacific (Seoul)	914738172881
`eu-north-1`	Europe (Stockholm)	591436053604
`ap-east-1`	Asia Pacific (Hong Kong)	258348409381
`me-south-1`	Middle East (Bahrain)	536382113932
`eu-west-2`	Europe (London)	892757235363
`ap-northeast-1`	Asia Pacific (Tokyo)	533107202818
`ap-southeast-1`	Asia Pacific (Singapore)	174946120834
`ap-south-1`	Asia Pacific (Mumbai)	251508486986
`ap-southeast-3`	Asia Pacific (Jakarta)	510637619217
`sa-east-1`	South America (São Paulo)	758426053663
`ap-northeast-3`	Asia Pacific (Osaka)	273192626886
`eu-south-1`	Europe (Milan)	266869475730
`af-south-1`	Africa (Cape Town)	197869348890
`ap-southeast-2`	Asia Pacific (Sydney)	005257825471
`me-central-1`	Middle East (UAE)	000014521398
`us-west-1`	US West (N. California)	684579721401
`ca-central-1`	Canada (Central)	354763396469
`ca-west-1`	Canada West (Calgary)	339712888787
`ap-south-2`	Asia Pacific (Hyderabad)	950823858135
`eu-south-2`	Europe (Spain)	919611009337
`eu-central-2`	Europe (Zurich)	529164026651
`ap-southeast-4`	Asia Pacific (Melbourne)	251357961535
`il-central-1`	Israel (Tel Aviv)	870907303882

Download the template

In the following command to download appropriate public key, signature of x86_64 RPM, signature of arm64 RPM, and the corresponding access link to the RPM scripts hosted in Amazon S3 buckets, make sure to replace the account ID with the appropriate AWS account ID and the Region with your current Region.
```
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.rpm ./amazon-guardduty-agent-1.6.0.x86_64.rpm
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.sig ./amazon-guardduty-agent-1.6.0.x86_64.sig
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/publickey.pem ./publickey.pem
```
Import the public key

Use the following command to import the public key to the database:
```
gpg --import publickey.pem
```
gpg shows import successfully
```
gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
```
Verify the signature

Use the following command to verify the signature
```
gpg --verify amazon-guardduty-agent-1.6.0.x86_64.sig amazon-guardduty-agent-1.6.0.x86_64.rpm
```
If verification passes, you will see a message similar to the result below. You can now proceed to install the GuardDuty security agent using RPM.

Example output:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456  7603 06C9 06A7 093F F49D
```
If verification fails, it means the signature on RPM has been potentially tampered. You must remove the public key from the database and retry the verification process.

Example:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
```
Use the following command to remove the public key from the database:
```
gpg --delete-keys AwsGuardDuty
```
Now, try the verification process again.

Connect with SSH from Linux or macOS.
Install the GuardDuty security agent by using the following command:
```
sudo rpm -ivh amazon-guardduty-agent-1.6.0.x86_64.rpm
```
Validate if the GuardDuty agent installation is healthy. For more information about the steps, see Validating GuardDuty security agent installation status.

Debian installation

Important

We recommend verifying the GuardDuty security agent Debian signature before installing it on your machine.

Verify the GuardDuty security agent Debian signature

Prepare templates for the appropriate public key, signature of amd64 Debian package, signature of arm64 Debian package, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

In the following templates, replace the value of the AWS Region, AWS account ID, and the GuardDuty agent version to access the Debian package scripts.

Public key:


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/publickey.pem

GuardDuty security agent Debian signature:

Signature of amd64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.sig

Signature of arm64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.sig

Access links to the Debian scripts in Amazon S3 bucket:

Access link for amd64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.deb

Access link for arm64


s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.deb

AWS Region	Region name	AWS account ID
`eu-west-1`	Europe (Ireland)	694911143906
`us-east-1`	US East (N. Virginia)	593207742271
`us-west-2`	US West (Oregon)	733349766148
`eu-west-3`	Europe (Paris)	665651866788
`us-east-2`	US East (Ohio)	307168627858
`eu-central-1`	Europe (Frankfurt)	323658145986
`ap-northeast-2`	Asia Pacific (Seoul)	914738172881
`eu-north-1`	Europe (Stockholm)	591436053604
`ap-east-1`	Asia Pacific (Hong Kong)	258348409381
`me-south-1`	Middle East (Bahrain)	536382113932
`eu-west-2`	Europe (London)	892757235363
`ap-northeast-1`	Asia Pacific (Tokyo)	533107202818
`ap-southeast-1`	Asia Pacific (Singapore)	174946120834
`ap-south-1`	Asia Pacific (Mumbai)	251508486986
`ap-southeast-3`	Asia Pacific (Jakarta)	510637619217
`sa-east-1`	South America (São Paulo)	758426053663
`ap-northeast-3`	Asia Pacific (Osaka)	273192626886
`eu-south-1`	Europe (Milan)	266869475730
`af-south-1`	Africa (Cape Town)	197869348890
`ap-southeast-2`	Asia Pacific (Sydney)	005257825471
`me-central-1`	Middle East (UAE)	000014521398
`us-west-1`	US West (N. California)	684579721401
`ca-central-1`	Canada (Central)	354763396469
`ca-west-1`	Canada West (Calgary)	339712888787
`ap-south-2`	Asia Pacific (Hyderabad)	950823858135
`eu-south-2`	Europe (Spain)	919611009337
`eu-central-2`	Europe (Zurich)	529164026651
`ap-southeast-4`	Asia Pacific (Melbourne)	251357961535
`il-central-1`	Israel (Tel Aviv)	870907303882

Download the download appropriate public key, signature of amd64, signature of arm64, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

In the following commands, replace the account ID with the appropriate AWS account ID, and the Region with your current Region.
```
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.deb ./amazon-guardduty-agent-1.6.0.amd64.deb
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/amd64/amazon-guardduty-agent-1.6.0.amd64.sig ./amazon-guardduty-agent-1.6.0.amd64.sig
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-deb-artifacts/1.6.0/publickey.pem ./publickey.pem
```

Import the public key to the database


gpg --import publickey.pem

gpg shows import successfully


gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Verify the signature
```
gpg --verify amazon-guardduty-agent-1.6.0.amd64.sig amazon-guardduty-agent-1.6.0.amd64.deb
```
After a successful verification, you will see a message similar to the following result:

Example output:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456  7603 06C9 06A7 093F F49D
```
You can now proceed to install the GuardDuty security agent using Debian.

However, if verification fails, it means the signature in Debian package has been potentially tampered.

Example:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
```
Use the following command to remove the public key from the database:
```
gpg --delete-keys AwsGuardDuty
```
Now, retry the verification process.

Connect with SSH from Linux or macOS.
Install the GuardDuty security agent by using the following command:
```
sudo dpkg -i amazon-guardduty-agent-1.6.0.amd64.deb
```
Validate if the GuardDuty agent installation is healthy. For more information about the steps, see Validating GuardDuty security agent installation status.

anchor anchor

Important

We recommend verifying the GuardDuty security agent RPM signature before installing it on your machine.

Verify the GuardDuty security agent RPM signature

Prepare the template

Public key:


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/publickey.pem

GuardDuty security agent RPM signature:

Signature of x86_64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.sig

Signature of arm64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.sig

Access links to the RPM scripts in Amazon S3 bucket:

Access link for x86_64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.rpm

Access link for arm64 RPM


s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/arm64/amazon-guardduty-agent-1.6.0.arm64.rpm

AWS Region	Region name	AWS account ID
`eu-west-1`	Europe (Ireland)	694911143906
`us-east-1`	US East (N. Virginia)	593207742271
`us-west-2`	US West (Oregon)	733349766148
`eu-west-3`	Europe (Paris)	665651866788
`us-east-2`	US East (Ohio)	307168627858
`eu-central-1`	Europe (Frankfurt)	323658145986
`ap-northeast-2`	Asia Pacific (Seoul)	914738172881
`eu-north-1`	Europe (Stockholm)	591436053604
`ap-east-1`	Asia Pacific (Hong Kong)	258348409381
`me-south-1`	Middle East (Bahrain)	536382113932
`eu-west-2`	Europe (London)	892757235363
`ap-northeast-1`	Asia Pacific (Tokyo)	533107202818
`ap-southeast-1`	Asia Pacific (Singapore)	174946120834
`ap-south-1`	Asia Pacific (Mumbai)	251508486986
`ap-southeast-3`	Asia Pacific (Jakarta)	510637619217
`sa-east-1`	South America (São Paulo)	758426053663
`ap-northeast-3`	Asia Pacific (Osaka)	273192626886
`eu-south-1`	Europe (Milan)	266869475730
`af-south-1`	Africa (Cape Town)	197869348890
`ap-southeast-2`	Asia Pacific (Sydney)	005257825471
`me-central-1`	Middle East (UAE)	000014521398
`us-west-1`	US West (N. California)	684579721401
`ca-central-1`	Canada (Central)	354763396469
`ca-west-1`	Canada West (Calgary)	339712888787
`ap-south-2`	Asia Pacific (Hyderabad)	950823858135
`eu-south-2`	Europe (Spain)	919611009337
`eu-central-2`	Europe (Zurich)	529164026651
`ap-southeast-4`	Asia Pacific (Melbourne)	251357961535
`il-central-1`	Israel (Tel Aviv)	870907303882

Download the template

In the following command to download appropriate public key, signature of x86_64 RPM, signature of arm64 RPM, and the corresponding access link to the RPM scripts hosted in Amazon S3 buckets, make sure to replace the account ID with the appropriate AWS account ID and the Region with your current Region.
```
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.rpm ./amazon-guardduty-agent-1.6.0.x86_64.rpm
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/x86_64/amazon-guardduty-agent-1.6.0.x86_64.sig ./amazon-guardduty-agent-1.6.0.x86_64.sig
aws s3 cp s3://694911143906-eu-west-1-guardduty-agent-rpm-artifacts/1.6.0/publickey.pem ./publickey.pem
```
Import the public key

Use the following command to import the public key to the database:
```
gpg --import publickey.pem
```
gpg shows import successfully
```
gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
```
Verify the signature

Use the following command to verify the signature
```
gpg --verify amazon-guardduty-agent-1.6.0.x86_64.sig amazon-guardduty-agent-1.6.0.x86_64.rpm
```
If verification passes, you will see a message similar to the result below. You can now proceed to install the GuardDuty security agent using RPM.

Example output:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456  7603 06C9 06A7 093F F49D
```
If verification fails, it means the signature on RPM has been potentially tampered. You must remove the public key from the database and retry the verification process.

Example:
```
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
```
Use the following command to remove the public key from the database:
```
gpg --delete-keys AwsGuardDuty
```
Now, try the verification process again.

Connect with SSH from Linux or macOS.
Install the GuardDuty security agent by using the following command:
```
sudo rpm -ivh amazon-guardduty-agent-1.6.0.x86_64.rpm
```
Validate if the GuardDuty agent installation is healthy. For more information about the steps, see Validating GuardDuty security agent installation status.

Out of memory error

If you experience an out-of-memory error while installing or updating the GuardDuty security agent for Amazon EC2 manually, see Troubleshooting out of memory error.

Validating GuardDuty security agent installation status

After you have performed the steps to install the GuardDuty security agent, use the following steps to validate the status of the agent:

To validate if the GuardDuty security agent is healthy

Connect with SSH from Linux or macOS.
Run the following command to check the status of the GuardDuty security agent:
```
sudo systemctl status amazon-guardduty-agent
```

If you want to view the security agent installation logs, they are available under /var/log/amzn-guardduty-agent/.

To view the logs, do sudo journalctl -u amazon-guardduty-agent.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prerequisite – Creating Amazon VPC endpoint manually

Updating security agent manually

Select your cookie preferences

Installing the security agent manually

AWS Systems Manager managed Amazon EC2 instance

For Debian Servers

To install the GuardDuty agent for Amazon EC2 instance by using AWS Systems Manager

Method 1 - Using AWS Systems Manager

AWS Systems Manager managed Amazon EC2 instance

For Debian Servers

To install the GuardDuty agent for Amazon EC2 instance by using AWS Systems Manager

Important

Prepare the template

Download the template

Import the public key

Verify the signature

Important

Prepare templates for the appropriate public key, signature of amd64 Debian package, signature of arm64 Debian package, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

Download the download appropriate public key, signature of amd64, signature of arm64, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

Method 2 - Using Linux Package Managers

Important

Prepare the template

Download the template

Import the public key

Verify the signature

Important

Prepare templates for the appropriate public key, signature of amd64 Debian package, signature of arm64 Debian package, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

Download the download appropriate public key, signature of amd64, signature of arm64, and the corresponding access link to the Debian scripts hosted in Amazon S3 buckets

Important

Prepare the template

Download the template

Import the public key

Verify the signature

Out of memory error

Validating GuardDuty security agent installation status

To validate if the GuardDuty security agent is healthy

On this page

Did this page help you?

Next topic:

Previous topic:

Need help?