EKS Runtime Monitoring

EKS Runtime Monitoring provides runtime threat detection coverage for Amazon Elastic Kubernetes Service (Amazon EKS) nodes and containers within your AWS environment. EKS Runtime Monitoring uses a GuardDuty security agent that adds runtime visibility into individual EKS workloads, for example, file access, process execution, and network connections. The GuardDuty security agent helps GuardDuty identify specific containers within your EKS clusters that are potentially compromised. It can also detect attempts to escalate privileges from an individual container to the underlying EC2 host, and the broader AWS environment. For more information, see Runtime Monitoring.

Enabling EKS Runtime Monitoring is a two-step process:

Enable EKS Runtime Monitoring for your account so that GuardDuty can monitor the runtime events for your EKS cluster.
For GuardDuty to monitor the runtime events, it must be able to receive these events through an Amazon Elastic Kubernetes Service (Amazon EKS) add-on agent for GuardDuty, called GuardDuty security agent.

Depending on which EKS clusters you may want to monitor, you can choose to manage the GuardDuty security agent for either all of the EKS clusters in your account or selective EKS clusters (by the principle of exclusion or inclusion). This capability helps you monitor the runtime events of your EKS clusters at either account or cluster level. For more information about the approaches to manage the GuardDuty security agent, see Understanding key concepts.

After you enable EKS Runtime Monitoring and deploy the GuardDuty security agent using one of the preferred approaches, we recommend that you assess the coverage status of your EKS clusters. A healthy coverage status of an EKS cluster indicates that EKS Runtime Monitoring as been enabled, and the GuardDuty security agent has been deployed and currently running. For more information, see Assessing coverage.

Note

Presently, GuardDuty supports EKS clusters running on Amazon EC2 instances. It doesn't support EKS clusters running on AWS Fargate.

How 30-day free trial period works

When you enable GuardDuty for the first time, EKS Runtime Monitoring is enabled by default and is also included within the GuardDuty 30-day free trial period. For EKS Runtime Monitoring to help you protect your EKS clusters from threat detection, you must choose one of the Approaches to manage GuardDuty security agent for your EKS clusters.
If your AWS account has already enabled GuardDuty, your 30-day free trial period for EKS Runtime Monitoring starts when you enable EKS Runtime Monitoring for the first time in your account. For EKS Runtime Monitoring to help you protect your EKS clusters from threat detection, you must choose one of the Approaches to manage GuardDuty security agent for your EKS clusters.

Note

The 30-day free trial period is independent of the deployment of the security agent on your EKS clusters.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

EKS Audit Log Monitoring

Validating architectural requirements