Turning on Runtime Monitoring for Amazon ECS
You can turn on Runtime Monitoring for clusters with EC2 instances, or when you need granular control of Runtime Monitoring at the cluster-level on Fargate.
The following are prerequisites for using Runtime Monitoring:
-
The Fargate platform version must be
1.4.0
or later for Linux. IAM roles and permissions for Amazon ECS:
-
Fargate tasks must use a task execution role. This role grants the tasks permission to retrieve, update, and manage the GuardDuty security agent on your behalf. For more information see Amazon ECS task execution IAM role.
-
You control Runtime Monitoring for a cluster with a pre-defined tag. If your access policies restrict access based on tags, you must grant explicit permissions to your IAM users to tag clusters. For more information, see IAM tutorial: Define permissions to access AWS resources based on tags in the IAM User Guide.
-
-
Connecting to the Amazon ECR repository:
The GuardDuty security agent is stored in an Amazon ECR repository. Each standalone and service task must have access to the repository. You can use one of the following options:
-
For tasks in public subnets, you can either use a public IP address for the task, or create a VPC endpoint for Amazon ECR in the subnet where the task runs. For more information, see Amazon ECR interface VPC endpoints (AWS PrivateLink) in the Amazon Elastic Container Registry User Guide.
For tasks in private subnets, you can use a Network Address Translation (NAT) gateway, or create a VPC endpoint for Amazon ECR in the subnet where the task runs.
For more information, see Private subnet and NAT gateway.
-
You must have the
AWSServiceRoleForAmazonGuardDuty
role for GuardDuty. For more information, see Service-linked role permissions for GuardDuty in the Amazon GuardDuty User Guide.-
Any files that you want to protect with Runtime Monitoring must be accessible by the root user. If you manually changed the permissions of a file, you must set it to
755
.
The following are prerequisites for using Runtime Monitoring on EC2 container instances:
-
You must use version
20230929
or later of the Amazon ECS-AMI. -
You must run Amazon ECS agent to version
1.77
or later on the container instances. -
You must use kernel version
5.10
or later. -
For information about the supported Linux operating systems and architectures, see Which operating models and workloads does GuardDuty Runtime Monitoring support
. -
You can use Systems Manager to manage your container instances. For more information, see Setting up Systems Manager for EC2 instances in the AWS Systems Manager Session Manager User Guide.
You turn on Runtime Monitoring in GuardDuty. For information about how to enable the feature, see Enabling Runtime Monitoring in the Amazon GuardDuty User Guide.