Managing automated security agent for
Fargate (Amazon ECS only)
Runtime Monitoring supports managing the security agent for your Amazon ECS clusters (AWS Fargate) only through GuardDuty. There is
no support for managing the security agent manually on Amazon ECS clusters.
Before proceeding with the steps in this section, make sure to follow Prerequisites for AWS Fargate (Amazon ECS
only) support.
Based on the Approaches to manage
GuardDuty security agent in Amazon ECS-Fargate resources, choose a
preferred method to enable GuardDuty automated agent for your resources.
In a multiple-account environment, only the delegated GuardDuty administrator account can enable or disable
automated agent configuration for the member accounts, and manage automated agent
configuration for Amazon ECS clusters that belong to the member accounts in their
organization. A GuardDuty member account can't modify this configuration. The
delegated GuardDuty administrator account manages their member accounts using AWS Organizations. For more information about
multi-account environments, see Managing multiple accounts in GuardDuty.
Enabling
automated agent configuration for delegated GuardDuty administrator account
- Manage for all Amazon ECS clusters (account level)
-
If you chose Enable for all accounts for
Runtime Monitoring, then you have the following options:
-
Choose Enable for all accounts in the
Automated agent configuration section. GuardDuty will deploy and
manage the security agent for all the Amazon ECS tasks that get
launched.
-
Choose Configure accounts
manually.
If you chose Configure accounts manually in
the Runtime Monitoring section, then do the following:
-
Choose Configure accounts manually in
the Automated agent configuration section.
-
Choose Enable in the
delegated GuardDuty administrator account (this account)
section.
Choose Save.
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for all Amazon ECS clusters but exclude some of the clusters
(cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false.
-
Prevent modification of tags, except by the trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose
Runtime Monitoring.
-
Always add the exclusion tag to your Amazon ECS clusters
before enabling Automated agent configuration for your
account; otherwise the GuardDuty sidecar container will be
attached to all the containers in the Amazon ECS tasks that
get launched.
Under the Configuration tab, choose
Enable in the Automated
agent configuration.
For the Amazon ECS clusters that have not been excluded, GuardDuty
will manage the deployment of the security agent in the
sidecar container.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for selective (inclusion only) Amazon ECS clusters (cluster
level)
-
-
Add a tag to an Amazon ECS cluster for which you want to
include all of the tasks. The key-value pair must be
GuardDutyManaged-true.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
When using inclusion tags for your Amazon ECS clusters, you
don't need to enable GuardDuty agent through automated agent
congifuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
Auto-enable for all member
accounts
- Manage for all Amazon ECS clusters (account level)
-
The following steps assume that you chose Enable for all
accounts in the Runtime Monitoring section.
-
Choose Enable for all accounts in the
Automated agent configuration section. GuardDuty will deploy and
manage the security agent for all the Amazon ECS tasks that get
launched.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for all Amazon ECS clusters but exclude some of the clusters
(cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false.
-
Prevent modification of tags, except by the trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose
Runtime Monitoring.
-
Always add the exclusion tag to your Amazon ECS clusters
before enabling Automated agent configuration for your
account; otherwise the GuardDuty sidecar container will be
attached to all the containers in the Amazon ECS tasks that
get launched.
Under the Configuration tab, choose
Edit.
-
Choose Enable for all accounts in the
Automated agent configuration
section
For the Amazon ECS clusters that have not been excluded, GuardDuty
will manage the deployment of the security agent in the
sidecar container.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for selective (inclusion-only) Amazon ECS clusters (cluster
level)
-
Regardless of how you choose to enable Runtime Monitoring, the following
steps will help you monitor selective Amazon ECS Fargate tasks for all
of the member accounts in your organization.
-
Do not enable any configuration in the Automated agent
configuration section. Keep the Runtime Monitoring configuration the
same as you selected in the previous step.
-
Choose Save.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
When using inclusion tags for your Amazon ECS clusters, you
don't need to enable GuardDuty agent auto-management
explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
Enabling automated agent
configuration for existing active member accounts
- Manage for all Amazon ECS clusters (account level)
-
-
On the Runtime Monitoring page, under the
Configuration tab, you can view the
current status of Automated agent configuration.
-
Within the Automated agent configuration pane, under the
Active member accounts section,
choose Actions.
-
From Actions, choose Enable
for all existing active member accounts.
-
Choose Confirm.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for all Amazon ECS clusters but exclude some of the clusters
(cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false.
-
Prevent modification of tags, except by the trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose
Runtime Monitoring.
-
Always add the exclusion tag to your Amazon ECS clusters
before enabling Automated agent configuration for your
account; otherwise the GuardDuty sidecar container will be
attached to all the containers in the Amazon ECS tasks that
get launched.
Under the Configuration tab, in the
Automated agent configuration section, under
Active member accounts, choose
Actions.
-
From Actions, choose Enable
for all active member accounts.
For the Amazon ECS clusters that have not been excluded, GuardDuty
will manage the deployment of the security agent in the
sidecar container.
-
Choose Confirm.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for selective (inclusion only) Amazon ECS clusters (cluster
level)
-
-
Add a tag to an Amazon ECS cluster for which you want to
include all of the tasks. The key-value pair must be
GuardDutyManaged-true.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
When using inclusion tags for your Amazon ECS clusters, you
don't need to enable Automated agent
configuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
Auto-enable Automated agent
configuration for new members
- Manage for all Amazon ECS clusters (account level)
-
-
On the Runtime Monitoring page, choose Edit to
update the existing configuration.
-
In the Automated agent configuration section, select
Automatically enable for new member
accounts.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for all Amazon ECS clusters but exclude some of the clusters
(cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false.
-
Prevent modification of tags, except by the trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose
Runtime Monitoring.
-
Always add the exclusion tag to your Amazon ECS clusters
before enabling Automated agent configuration for your
account; otherwise the GuardDuty sidecar container will be
attached to all the containers in the Amazon ECS tasks that
get launched.
Under the Configuration tab, select
Automatically enable for new member
accounts in the Automated agent
configuration section.
For the Amazon ECS clusters that have not been excluded, GuardDuty
will manage the deployment of the security agent in the
sidecar container.
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for selective (inclusion only) Amazon ECS clusters (cluster
level)
-
-
Add a tag to an Amazon ECS cluster for which you want to
include all of the tasks. The key-value pair must be
GuardDutyManaged-true.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
When using inclusion tags for your Amazon ECS clusters, you
don't need to enable Automated agent
configuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
Enabling
Automated agent configuration for active member accounts selectively
- Manage for all Amazon ECS (account level)
-
-
On the Accounts page, select the accounts for which you
want to enable Runtime Monitoring-Automated agent configuration
(ECS-Fargate). You can select multiple accounts. Make sure
that the accounts that you select in this step are already
enabled with Runtime Monitoring.
-
From Edit protection plans, choose
the appropriate option to enable
Runtime Monitoring-Automated agent configuration
(ECS-Fargate).
-
Choose Confirm.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for all Amazon ECS clusters but exclude some of the clusters
(cluster level)
-
-
Add a tag to this Amazon ECS cluster with the key-value pair as
GuardDutyManaged-false.
-
Prevent modification of tags, except by the trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose
Runtime Monitoring.
-
Always add the exclusion tag to your Amazon ECS clusters
before enabling GuardDuty agent auto-management for your account;
otherwise the GuardDuty sidecar container will be attached
to all the containers in the Amazon ECS tasks that get
launched.
On the Accounts page, select the accounts for which you
want to enable Runtime Monitoring-Automated agent configuration
(ECS-Fargate). You can select multiple accounts. Make sure
that the accounts that you select in this step are already
enabled with Runtime Monitoring.
For the Amazon ECS clusters that have not been excluded, GuardDuty
will manage the deployment of the security agent in the
sidecar container.
-
From Edit protection plans, choose
the appropriate option to enable
Runtime Monitoring-Automated agent configuration
(ECS-Fargate).
-
Choose Save.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
- Manage for selective (inclusion only) Amazon ECS clusters (cluster
level)
-
-
Make sure you don't enable Automated agent
configuration (or
Runtime Monitoring-Automated agent configuration
(ECS-Fargate)) for the selected accounts that
have the Amazon ECS clusters that you want to monitor.
-
Add a tag to an Amazon ECS cluster for which you want to
include all of the tasks. The key-value pair must be
GuardDutyManaged-true.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
When using inclusion tags for your Amazon ECS clusters, you
don't need to enable Automated agent
configuration explicitly.
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose Runtime
Monitoring.
-
Under the Configuration tab:
-
To manage Automated agent configuration for all Amazon ECS clusters
(account level)
Choose Enable in the Automated
agent configuration section for
AWS Fargate (ECS only). When a new
Fargate Amazon ECS task launches, GuardDuty will manage the deployment of
the security agent.
-
Choose Save.
-
To manage Automated agent configuration by excluding some of the
Amazon ECS clusters (cluster level)
-
Add a tag to the Amazon ECS cluster for which you want to
exclude all of the tasks. The key-value pair must be
GuardDutyManaged-false.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
-
Under the Configuration tab, choose
Enable in the Automated
agent configuration section.
Always add the exclusion tag to your Amazon ECS cluster
before enabling GuardDuty agent auto-management for your account;
otherwise, the security agent will be deployed in all
the tasks that are launched within the corresponding
Amazon ECS cluster.
For the Amazon ECS clusters that have not been excluded, GuardDuty
will manage the deployment of the security agent in the
sidecar container.
-
Choose Save.
-
To manage Automated agent configuration by including some of the
Amazon ECS clusters (cluster level)
-
Add a tag to an Amazon ECS cluster for which you want to
include all of the tasks. The key-value pair must be
GuardDutyManaged-true.
-
Prevent modification of these tags, except by trusted
entities. The policy provided in Prevent tags from being modified except by authorized
principles in the
AWS Organizations User Guide has been modified
to be applicable here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyTagsIfResAuthzTagAndPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ecs:ResourceTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"ecs:ResourceTag/GuardDutyManaged": false
}
}
},
{
"Sid": "DenyModifyResAuthzTagIfPrinTagDontMatch",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/GuardDutyManaged": "${aws:PrincipalTag/GuardDutyManaged}",
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"GuardDutyManaged"
]
}
}
},
{
"Sid": "DenyModifyTagsIfPrinTagNotExists",
"Effect": "Deny",
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/org-admins/iam-admin"
},
"Null": {
"aws:PrincipalTag/GuardDutyManaged": true
}
}
}
]
}
-
When you want GuardDuty to monitor tasks that are part of a service, it requires
a new service deployment after you enable Runtime Monitoring. If the last deployment for a specific ECS service was started before you enabled Runtime Monitoring,
you can either restart the service, or update the service by using forceNewDeployment.
For steps to update the service, see the following resources:
