Coverage for Amazon EKS clusters
After you enable Runtime Monitoring and install the GuardDuty security agent (add-on) for EKS either manually or through automated agent configuration, you can start assessing the coverage for your EKS clusters.
Contents
Reviewing coverage statistics
The coverage statistics for the EKS clusters associated with your own accounts or your member accounts is the percentage of the healthy EKS clusters over all EKS clusters in the selected AWS Region. The following equation represents this as:
(Healthy clusters/All clusters)*100
Choose one of the access methods to review the coverage statistics for your accounts.
If the coverage status of your EKS cluster is Unhealthy, see Troubleshooting EKS coverage issues.
Configuring coverage status change notifications
The coverage status of an EKS cluster in your account may show up as Unhealthy.
To detect when the coverage status becomes Unhealthy, we
recommend you monitor the coverage status periodically and troubleshoot, if the status is
Unhealthy. Alternatively, you can create an Amazon EventBridge
rule to notify you when the coverage status changes from either Unhealthy
to
Healthy
or otherwise. By default, GuardDuty publishes this in the EventBridge
bus for your account.
Sample notification schema
In an EventBridge rule, you can use the pre-defined sample events and event patterns to receive coverage status notification. For more information about creating an EventBridge rule, see Create rule in the Amazon EventBridge User Guide.
Additionally,
you can create a custom event pattern by using the following example notification schema.
Make sure to replace the
values for your account. To get notified when the coverage status of your Amazon EKS cluster changes
from Healthy
to Unhealthy
, the detail-type
should be
GuardDuty Runtime Protection Unhealthy
. To get notified when the
coverage status changes from Unhealthy
to Healthy
, replace the value
of detail-type
with
GuardDuty Runtime Protection Healthy
.
{ "version": "0", "id": "event ID", "detail-type": "GuardDuty Runtime Protection
Unhealthy
", "source": "aws.guardduty", "account": "AWS account ID", "time": "event timestamp (string)", "region": "AWS Region", "resources": [ ], "detail": { "schemaVersion": "1.0", "resourceAccountId": "string", "currentStatus": "string", "previousStatus": "string", "resourceDetails": { "resourceType": "EKS", "eksClusterDetails": { "clusterName": "string", "availableNodes": "string", "desiredNodes": "string", "addonVersion": "string" } }, "issue": "string", "lastUpdatedAt": "timestamp" } }
Troubleshooting EKS coverage issues
If the coverage status for your EKS cluster is Unhealthy
, you can view the
corresponding error either under the Issue column in the GuardDuty console, or
by using the CoverageResource data
type.
When working with inclusion or exclusion tags for monitoring your EKS clusters selectively, it may take some time for the tags to sync. This may impact the coverage status of the associated EKS cluster. You can try removing and adding the corresponding tag (inclusion or exclusion) again. For more information, see Tagging your Amazon EKS resources in the Amazon EKS User Guide.
The structure of a coverage issue is Issue type:Extra information
.
Typically, the issues will have an optional Extra information that may
include specific client-side exception or description about the issue. Based on
Extra information, the following tables
provide the recommended steps to troubleshoot the coverage issues for your EKS clusters.
Issue type (prefix) |
Extra information |
Recommended troubleshooting steps |
---|---|---|
Addon Creation Failed |
Addon |
Make sure that you're using one of those Kubernetes versions that support deploying the
|
Addon Creation Failed Addon Updation Failed Addon Status Unhealthy |
EKS Addon issue - |
For information about recommended steps for a specific add-on issue code, see Troubleshooting steps for Addon creation/updatation error with Addon issue code. For a list of addon issue codes that you might experience in this issue, see AddonIssue. |
VPC Endpoint Creation Failed |
VPC endpoint creation not supported for shared
VPC |
Runtime Monitoring now supports the use of a shared VPC within an organization. Make sure your accounts meet all the prerequisites. For more information, see Prerequisites for using shared VPC. |
Only when using shared VPC with automated agent configuration Owner account ID |
The shared VPC owner account must enable Runtime Monitoring and automated agent configuration for at least one resource type (Amazon EKS or Amazon ECS (AWS Fargate)). For more information, see Prerequisites specific to GuardDuty Runtime Monitoring. | |
Enabling private DNS requires both |
Ensure that the following VPC attributes are set to If you're using Amazon VPC Console at https://console.aws.amazon.com/vpc/ |
|
Shared VPC Endpoint Deletion Failed |
Shared VPC endpoint deletion not allowed for account ID |
Potential steps:
|
Local EKS clusters |
EKS addons are not supported on local outpost clusters. |
Not actionable. For more information, see Amazon EKS on AWS outposts. |
EKS Runtime Monitoring enablement permission not granted |
(may or may not show extra information) |
|
EKS Runtime Monitoring enablement resource provisioning in progress |
(may or may not show extra information) |
Not actionable. After you enable EKS Runtime Monitoring, the coverage status might remain |
Others (any other issue) |
Error due to authorization failure |
Toggle EKS Runtime Monitoring to turn it off and then turn it on again. Ensure that the GuardDuty agent also gets deployed, either automatically through GuardDuty or manually. |
Addon creation or updation error |
Troubleshooting steps |
---|---|
EKS Addon Issue - |
Using the issue message, you can identify and fix the root cause. You can start by describing your cluster. For example,
use After you fix the root cause, retry the step (add-on creation or update). |
EKS Addon Issue - |
|
EKS Addon Issue - |
When creating or updating the Addon, provide the You can first delete the Addon and then reinstall. |
EKS Addon Issue -
|
You must add the missing permission to the
You can now apply this
|
EKS Addon Issue -
|
You must either disable the controller or have the controller accept the requests from the Amazon EKS cluster. Prior to creating or updating the add-on, you can also create a GuardDuty namespace and label it as |