Configuring EKS Runtime Monitoring (API only) - Amazon GuardDuty
Configuring EKS Runtime Monitoring for a standalone accountConfiguring EKS Runtime Monitoring for multiple-account environments

Configuring EKS Runtime Monitoring (API only)

Before configuring EKS Runtime Monitoring in your account, make sure that you're using one of the verified platforms that supports the Kubernetes version that is presently in use. For more, see Validating architectural requirements.

GuardDuty has consolidated the console experience for EKS Runtime Monitoring into Runtime Monitoring. GuardDuty recommends Checking EKS Runtime Monitoring configuration status and Migrating from EKS Runtime Monitoring to Runtime Monitoring.

As a part of migrating to Runtime Monitoring, ensure to Disable EKS Runtime Monitoring. This is important because if you later choose to disable Runtime Monitoring and you do not disable EKS Runtime Monitoring, you will continue incurring usage cost for EKS Runtime Monitoring.

Configuring EKS Runtime Monitoring for a standalone account

For the accounts associated with AWS Organizations, see Configuring EKS Runtime Monitoring for multiple-account environments.

Choose your preferred access method to enable EKS Runtime Monitoring for your account.

API/CLI

Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

  1. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

  2. Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'

Manage the security agent manually

  1. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Configuring EKS Runtime Monitoring for multiple-account environments

In a multiple-account environments, only the delegated GuardDuty administrator account can enable or disable EKS Runtime Monitoring for the member accounts, and manage GuardDuty agent management for the EKS clusters belonging to the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account account manages their member accounts using AWS Organizations. For more information about multi-account environments, see Managing multiple accounts.

Choose your preferred access method to enable EKS Runtime Monitoring and manage the GuardDuty security agent for the EKS clusters that belong to the delegated GuardDuty administrator account.

API/CLI

Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'

Manage the security agent manually

  1. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Choose your preferred access method to enable EKS Runtime Monitoring for all member accounts. This includes the delegated GuardDuty administrator account, existing member accounts, and the new accounts that join the organization. Choose your preferred approach to manage GuardDuty security agent for the EKS clusters that belong to these member accounts.

API/CLI

Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. Run the updateDetector API by using your own regional detector ID and passing the features object name as EKS_RUNTIME_MONITORING and status as ENABLED.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] } ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Choose your preferred access method to enable EKS Runtime Monitoring and manage GuardDuty security agent for existing active member accounts in your organization.

API/CLI

Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] } ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

The delegated GuardDuty administrator account can auto-enable EKS Runtime Monitoring and choose an approach for how to manage the GuardDuty security agent for new accounts that join your organization.

API/CLI

Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. To selectively enable EKS Runtime Monitoring for your new accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT for a single account. You can also pass a list of account IDs separated by a space.

    To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --autoEnable  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NEW", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}] ]'

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.
API/CLI

Based on the Approaches to manage GuardDuty security agent, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent

Steps

Manage security agent through GuardDuty (Monitor all EKS clusters)

To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account.

Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor all EKS clusters but exclude some of them (using exclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-false. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]
  3. Note

    Always add the exclusion tag to your EKS cluster before setting the STATUS of EKS_RUNTIME_MONITORING to ENABLED; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account.

    To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as ENABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables both EKS_RUNTIME_MONITORING and EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] ]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Monitor selective EKS clusters (using inclusion tag)

  1. Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is GuardDutyManaged-true. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide.

  2. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details:

    • Replace ec2:CreateTags with eks:TagResource.

    • Replace ec2:DeleteTags with eks:UntagResource.

    • Replace access-project with GuardDutyManaged

    • Replace 123456789012 with the AWS account ID of the trusted entity.

      When you have more than one trusted entities, use the following example to add multiple PrincipalArn:

      "aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]

  3. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the GuardDutyManaged-true pair.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'
    Note

    You can also pass a list of account IDs separated by a space.

    When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Manage the security agent manually

  1. To selectively enable EKS Runtime Monitoring for your member accounts, run the updateMemberDetectors API operation using your own detector ID.

    Set the status for EKS_ADDON_MANAGEMENT as DISABLED.

    Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API

    The following example enables EKS_RUNTIME_MONITORING and disables EKS_ADDON_MANAGEMENT:

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] } ]'

  2. To manage the security agent, see Managing security agent manually for Amazon EKS cluster.