Installing the security
agent manually
GuardDuty provides the following two methods to install the GuardDuty security agent on your
Amazon EC2 instances. Before proceeding, make sure to follow the steps under Prerequisite –
Creating Amazon VPC endpoint manually.
Choose a preferred access method to install the security agent in your Amazon EC2
resources.
-
Method 1 - Using AWS Systems Manager – This method requires your Amazon EC2
instance to be AWS Systems Manager managed.
-
Method 2 - Using Linux Package Managers – You can use this method
whether or not your Amazon EC2 instances are AWS Systems Manager managed. Based on your
OS distributions, you can choose an appropriate method to install either RPM
scripts or Debian scripts. If you use Fedora platform, then you must use this method to install the agent.
To use this method, make sure that your Amazon EC2 instances are AWS Systems Manager managed
and then install the agent.
AWS Systems Manager
managed Amazon EC2 instance
Use the following steps to make your Amazon EC2 instances AWS Systems Manager
managed.
-
AWS Systems Manager helps you manage your AWS applications and
resources end-to-end and enable secure operations at scale.
To manage your Amazon EC2 instances with AWS Systems Manager, see Setting up Systems Manager for Amazon EC2 instances in the
AWS Systems Manager User Guide.
-
The following table shows the new GuardDuty managed AWS Systems Manager
documents:
Document name |
Document type |
Purpose |
AmazonGuardDuty-RuntimeMonitoringSsmPlugin
|
Distributor |
To package the GuardDuty security
agent. |
AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin
|
Command |
To run installation/un-installation script
to install the GuardDuty security
agent. |
For more information about AWS Systems Manager, see Amazon EC2
Systems Manager Documents in the
AWS Systems Manager User Guide.
The Amazon Machine Images (AMIs) for Debian Server provided by AWS
require you to install the AWS Systems Manager agent (SSM agent). You will need to
perform an additional step to install the SSM agent to make your Amazon EC2
Debian Server instances SSM managed. For information about steps that you
need to take, see Manually
installing SSM agent on Debian Server instances in the
AWS Systems Manager User Guide.
With this method, you can install the GuardDuty security agent by running RPM
scripts or Debian scripts. Based on the operating systems, you can choose a
preferred method:
-
Use RPM scripts to install the security agent on OS distributions AL2, AL2023, RedHat, CentOS, or Fedora.
-
Use Debian scripts to install the security agent on OS distributions
Ubuntu or Debian. For information about supported Ubuntu and Debian OS
distributions, see Validating architectural requirements.
- RPM installation
-
We recommend verifying the GuardDuty security agent RPM
signature before installing it on your machine.
-
Verify the GuardDuty security agent RPM signature
-
Prepare the template
Prepare the commands with appropriate public key,
signature of x86_64 RPM, signature of arm64 RPM, and
the corresponding access link to the RPM scripts
hosted in Amazon S3 buckets. Replace the value of the
AWS Region, AWS account ID, and the GuardDuty agent
version to access the RPM scripts.
-
Public key:
s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/publickey.pem
-
GuardDuty security agent
RPM signature:
- Signature of x86_64 RPM
-
s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/x86_64/amazon-guardduty-agent-1.6.0
.x86_64.sig
- Signature of arm64 RPM
-
s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/arm64/amazon-guardduty-agent-1.6.0
.arm64.sig
-
Access links to the
RPM scripts in Amazon S3 bucket:
- Access link for x86_64 RPM
-
s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/x86_64/amazon-guardduty-agent-1.6.0
.x86_64.rpm
- Access link for arm64 RPM
-
s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/arm64/amazon-guardduty-agent-1.6.0
.arm64.rpm
AWS Region |
Region name |
AWS account ID |
eu-west-1 |
Europe (Ireland) |
694911143906 |
us-east-1 |
US East (N. Virginia) |
593207742271 |
us-west-2 |
US West (Oregon) |
733349766148 |
eu-west-3 |
Europe (Paris) |
665651866788 |
us-east-2 |
US East (Ohio) |
307168627858 |
eu-central-1 |
Europe (Frankfurt) |
323658145986 |
ap-northeast-2 |
Asia Pacific (Seoul) |
914738172881 |
eu-north-1 |
Europe (Stockholm) |
591436053604 |
ap-east-1 |
Asia Pacific (Hong Kong) |
258348409381 |
me-south-1 |
Middle East (Bahrain) |
536382113932 |
eu-west-2 |
Europe (London) |
892757235363 |
ap-northeast-1 |
Asia Pacific (Tokyo) |
533107202818 |
ap-southeast-1 |
Asia Pacific (Singapore) |
174946120834 |
ap-south-1 |
Asia Pacific (Mumbai) |
251508486986 |
ap-southeast-3 |
Asia Pacific (Jakarta) |
510637619217 |
sa-east-1 |
South America (São Paulo) |
758426053663 |
ap-northeast-3 |
Asia Pacific (Osaka) |
273192626886 |
eu-south-1 |
Europe (Milan) |
266869475730 |
af-south-1 |
Africa (Cape Town) |
197869348890 |
ap-southeast-2 |
Asia Pacific (Sydney) |
005257825471 |
me-central-1 |
Middle East (UAE) |
000014521398 |
us-west-1 |
US West (N. California) |
684579721401 |
ca-central-1 |
Canada (Central) |
354763396469 |
ca-west-1 |
Canada West (Calgary) |
339712888787 |
ap-south-2 |
Asia Pacific (Hyderabad) |
950823858135 |
eu-south-2 |
Europe (Spain) |
919611009337 |
eu-central-2 |
Europe (Zurich) |
529164026651 |
ap-southeast-4 |
Asia Pacific (Melbourne) |
251357961535 |
il-central-1 |
Israel (Tel Aviv) |
870907303882 |
-
Download the template
In the following command to download appropriate
public key, signature of x86_64 RPM, signature of
arm64 RPM, and the corresponding access link to the
RPM scripts hosted in Amazon S3 buckets, make sure to
replace the account ID with the appropriate
AWS account ID and the Region with your current
Region.
aws s3 cp s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/x86_64/amazon-guardduty-agent-1.6.0
.x86_64.rpm ./amazon-guardduty-agent-1.6.0
.x86_64.rpm
aws s3 cp s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/x86_64/amazon-guardduty-agent-1.6.0
.x86_64.sig ./amazon-guardduty-agent-1.6.0
.x86_64.sig
aws s3 cp s3://694911143906
-eu-west-1
-guardduty-agent-rpm-artifacts/1.6.0
/publickey.pem ./publickey.pem
-
Import the public key
Use the following command to import the public key
to the database:
gpg --import publickey.pem
gpg shows import successfully
gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
-
Verify the signature
Use the following command to verify the
signature
gpg --verify amazon-guardduty-agent-1.6.0
.x86_64.sig amazon-guardduty-agent-1.6.0
.x86_64.rpm
If verification passes, you will see a message
similar to the result below. You can now proceed to
install the GuardDuty security agent using RPM.
Example output:
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456 7603 06C9 06A7 093F F49D
If verification fails, it means the signature on
RPM has been potentially tampered. You must remove
the public key from the database and retry the
verification process.
Example:
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
Use the following command to remove the public key
from the database:
gpg --delete-keys AwsGuardDuty
Now, try the verification process again.
-
Connect with SSH from Linux or macOS.
-
Install the GuardDuty security agent by using the following
command:
sudo rpm -ivh amazon-guardduty-agent-1.6.0
.x86_64.rpm
-
Validate if the GuardDuty agent installation is healthy. For
more information about the steps, see Validating GuardDuty
security agent installation status.
- Debian installation
-
We recommend verifying the GuardDuty security agent Debian
signature before installing it on your machine.
-
Verify the GuardDuty security agent Debian signature
-
Prepare templates for the appropriate public key,
signature of amd64 Debian package, signature of
arm64 Debian package, and the corresponding access
link to the Debian scripts hosted in Amazon S3
buckets
In the following templates, replace the value of
the AWS Region, AWS account ID, and the GuardDuty
agent version to access the Debian package scripts.
-
Public key:
s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/publickey.pem
-
GuardDuty security agent
Debian signature:
- Signature of amd64
-
s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/amd64/amazon-guardduty-agent-1.6.0
.amd64.sig
- Signature of arm64
-
s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/arm64/amazon-guardduty-agent-1.6.0
.arm64.sig
-
Access links to the
Debian scripts in Amazon S3 bucket:
- Access link for amd64
-
s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/amd64/amazon-guardduty-agent-1.6.0
.amd64.deb
- Access link for arm64
-
s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/arm64/amazon-guardduty-agent-1.6.0
.arm64.deb
AWS Region |
Region name |
AWS account ID |
eu-west-1 |
Europe (Ireland) |
694911143906 |
us-east-1 |
US East (N. Virginia) |
593207742271 |
us-west-2 |
US West (Oregon) |
733349766148 |
eu-west-3 |
Europe (Paris) |
665651866788 |
us-east-2 |
US East (Ohio) |
307168627858 |
eu-central-1 |
Europe (Frankfurt) |
323658145986 |
ap-northeast-2 |
Asia Pacific (Seoul) |
914738172881 |
eu-north-1 |
Europe (Stockholm) |
591436053604 |
ap-east-1 |
Asia Pacific (Hong Kong) |
258348409381 |
me-south-1 |
Middle East (Bahrain) |
536382113932 |
eu-west-2 |
Europe (London) |
892757235363 |
ap-northeast-1 |
Asia Pacific (Tokyo) |
533107202818 |
ap-southeast-1 |
Asia Pacific (Singapore) |
174946120834 |
ap-south-1 |
Asia Pacific (Mumbai) |
251508486986 |
ap-southeast-3 |
Asia Pacific (Jakarta) |
510637619217 |
sa-east-1 |
South America (São Paulo) |
758426053663 |
ap-northeast-3 |
Asia Pacific (Osaka) |
273192626886 |
eu-south-1 |
Europe (Milan) |
266869475730 |
af-south-1 |
Africa (Cape Town) |
197869348890 |
ap-southeast-2 |
Asia Pacific (Sydney) |
005257825471 |
me-central-1 |
Middle East (UAE) |
000014521398 |
us-west-1 |
US West (N. California) |
684579721401 |
ca-central-1 |
Canada (Central) |
354763396469 |
ca-west-1 |
Canada West (Calgary) |
339712888787 |
ap-south-2 |
Asia Pacific (Hyderabad) |
950823858135 |
eu-south-2 |
Europe (Spain) |
919611009337 |
eu-central-2 |
Europe (Zurich) |
529164026651 |
ap-southeast-4 |
Asia Pacific (Melbourne) |
251357961535 |
il-central-1 |
Israel (Tel Aviv) |
870907303882 |
-
Download the download appropriate public key,
signature of amd64, signature of arm64, and the
corresponding access link to the Debian scripts
hosted in Amazon S3 buckets
In the following commands, replace the account ID
with the appropriate AWS account ID, and the
Region with your current Region.
aws s3 cp s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/amd64/amazon-guardduty-agent-1.6.0.amd64.deb ./amazon-guardduty-agent-1.6.0
.amd64.deb
aws s3 cp s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/amd64/amazon-guardduty-agent-1.6.0
.amd64.sig ./amazon-guardduty-agent-1.6.0
.amd64.sig
aws s3 cp s3://694911143906
-eu-west-1
-guardduty-agent-deb-artifacts/1.6.0
/publickey.pem ./publickey.pem
-
Import the public key to the database
gpg --import publickey.pem
gpg shows import successfully
gpg: key 093FF49D: public key "AwsGuardDuty" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
-
Verify the signature
gpg --verify amazon-guardduty-agent-1.6.0
.amd64.sig amazon-guardduty-agent-1.6.0
.amd64.deb
After a successful verification, you will see a
message similar to the following result:
Example output:
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: Good signature from "AwsGuardDuty"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7478 91EF 5378 1334 4456 7603 06C9 06A7 093F F49D
You can now proceed to install the GuardDuty security
agent using Debian.
However, if verification fails, it means the
signature in Debian package has been potentially
tampered.
Example:
gpg: Signature made Fri 17 Nov 2023 07:58:11 PM UTC using ? key ID 093FF49D
gpg: BAD signature from "AwsGuardDuty"
Use the following command to remove the public key
from the database:
gpg --delete-keys AwsGuardDuty
Now, retry the verification process.
-
Connect with SSH from Linux or macOS.
-
Install the GuardDuty security agent by using the following
command:
sudo dpkg -i amazon-guardduty-agent-1.6.0
.amd64.deb
-
Validate if the GuardDuty agent installation is healthy. For
more information about the steps, see Validating GuardDuty
security agent installation status.
Out of memory error
If you experience an out-of-memory
error while installing or updating
the GuardDuty security agent for Amazon EC2 manually, see Troubleshooting out of
memory error.
Validating GuardDuty
security agent installation status
After you have performed the steps to install the GuardDuty security agent, use the
following steps to validate the status of the agent:
To validate if the GuardDuty security agent is healthy
-
Connect with
SSH from Linux or macOS.
-
Run the following command to check the status of the GuardDuty security
agent:
sudo systemctl status amazon-guardduty-agent
If you want to view the security agent installation logs, they are available under
/var/log/amzn-guardduty-agent/
.
To view the logs, do sudo journalctl -u
amazon-guardduty-agent
.