Support for Amazon EKS features Validating architectural requirements Validating your organization service control policy

Prerequisites for Amazon EKS cluster support

This section includes the prerequisites for monitoring runtime behavior of your Amazon EKS resources. These prerequisites are crucial for the GuardDuty agent to function as expected. After these prerequisites are met, see Enabling GuardDuty Runtime Monitoring to start monitoring your resources.

Support for Amazon EKS features

Runtime Monitoring supports Amazon EKS clusters running on Amazon EC2 instances and Amazon EKS Auto Mode.

Runtime Monitoring doesn't support Amazon EKS clusters with Amazon EKS Hybrid Nodes, and those running on AWS Fargate.

For information about these Amazon EKS features, see What is Amazon EKS? in the Amazon EKS User Guide.

Validating architectural requirements

The platform that you use may impact how GuardDuty security agent supports GuardDuty in receiving the runtime events from your EKS clusters. You must validate that you're using one of the verified platforms. If you're managing the GuardDuty agent manually, ensure that the Kubernetes version supports the GuardDuty agent version that is currently in use.

Verified platforms

The OS distribution, kernel version, and CPU architecture affect the support provided by the GuardDuty security agent. The following table shows the verified configuration for deploying the GuardDuty security agent and configuring EKS Runtime Monitoring.

OS distribution¹	Kernel version²	Kernel support	CPU architecture		Supported Kubernetes version
OS distribution¹	Kernel version²	Kernel support	x64 (AMD64)	Graviton (ARM64) (Graviton2 and above)³	Supported Kubernetes version
Bottlerocket	eBPF Tracepoints, Kprobe	Supported	Supported	5.4, 5.10, 5.15, 6.1⁴	v1.23 - v1.32
Ubuntu					v1.21 - v1.32
AL2
AL2023⁵
RedHat 9.4				5.14
Fedora 34.0				5.11, 5.17
CentOS Stream 9				5.14

Support for various operating systems - GuardDuty has verified the support for using Runtime Monitoring on the operating systems that are listed in the preceding table. If you use a different operating system and are able to install the security agent successfully, you might get all the expected security value that GuardDuty has been verified to provide with the listed OS distribution.
For any kernel version, you must set the CONFIG_DEBUG_INFO_BTF flag to y (meaning true). This is required so that the GuardDuty security agent can run as expected.
Runtime Monitoring for Amazon EKS clusters doesn't support the first generation Graviton instance such as A1 instance types.
Presently, with Kernel version 6.1, GuardDuty can't generate GuardDuty Runtime Monitoring finding types that are related to Domain Name System (DNS) events.
Runtime Monitoring supports AL2023 with the release of the GuardDuty security agent v1.6.0 and above. For more information, see GuardDuty security agent versions for Amazon EKS clusters.

Kubernetes versions supported by GuardDuty security agent

The following table shows the Kubernetes versions for your EKS clusters that are supported by GuardDuty security agent.

Amazon EKS add-on GuardDuty security agent version	Kubernetes version
v1.9.0 (latest - v1.9.0-eksbuild.2) v1.8.1 (latest - v1.8.1-eksbuild.2)	1.21 - 1.32
v1.7.0 v1.6.1	1.21 - 1.31
v1.7.1 v1.7.0 v1.6.1	1.21 - 1.31

v1.6.0 v1.5.0 v1.4.1 v1.4.0 v1.3.1	1.21 - 1.29

v1.3.0 v1.2.0	1.21 - 1.28

v1.1.0	1.21 - 1.26

v1.0.0	1.21 - 1.25

Some of the GuardDuty security agent versions will reach end of standard support. For information about the agent release versions, see GuardDuty security agent versions for Amazon EKS clusters.

CPU and memory limits

The following table shows the CPU and memory limits for the Amazon EKS add-on for GuardDuty (aws-guardduty-agent).

Parameter	Minimum limit	Maximum limit
CPU	200m	1000m
Memory	256 Mi	1024 Mi

When you use Amazon EKS add-on version 1.5.0 or above, GuardDuty provides the capability to configure the add-on schema for your CPU and memory values. For information about the configurable range, see Configurable parameters and values.

After you enable EKS Runtime Monitoring and assess the coverage status of your EKS clusters, you can set up and view the container insight metrics. For more information, see Setting up CPU and memory monitoring.

Validating your organization service control policy

If you have set up a service control policy (SCP) to manage permissions in your organization, validate that permissions boundary is not restricting guardduty:SendSecurityTelemetry. It is required for GuardDuty to support Runtime Monitoring across different resource types.

If you are a member account, connect with the associated delegated administrator. For information about managing SCPs for your organization, see Service control policies (SCPs).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

For Fargate (ECS only) cluster

Enabling Runtime Monitoring