How it works - Amazon GuardDuty

How it works

To use Runtime Monitoring, you must enable Runtime Monitoring and then manage the GuardDuty security agent. The following list explains this two-step process:

  1. Enable Runtime Monitoring for your account so that GuardDuty can accept the runtime events that it receives from your Amazon EC2 instances, Amazon ECS clusters, and Amazon EKS workloads.

  2. Manage GuardDuty agent for the individual resources for which you want to monitor the runtime behavior. Based on the resource type, you can choose to deploy the GuardDuty security agent either manually or by allowing GuardDuty to manage it on your behalf, called automated agent configuration.

    GuardDuty uses Instance identity roles that authenticates the security agent for each resource type to send the associated runtime events to the VPC endpoint.


GuardDuty doesn't make the runtime events accessible to you.

When you manage the security agent (either manually or through GuardDuty) in EKS Runtime Monitoring or Runtime Monitoring for EC2 instances, and GuardDuty is presently deployed on an Amazon EC2 instance and receives the Collected runtime event types from this instance, GuardDuty will not charge your AWS account for the analysis of VPC flow logs from this Amazon EC2 instance. This helps GuardDuty avoid double usage cost in the account.

The following topics explain how enabling Runtime Monitoring and managing GuardDuty security agent works differently for each resource type.