Managing security agent manually for Amazon EC2 instance
After you enable Runtime Monitoring, you will need to install the GuardDuty security agent manually. By installing the agent, GuardDuty will receive the runtime events from the Amazon EC2 instances.
To manage the GuardDuty security agent, you must create an Amazon VPC endpoint and then follow the steps to install the security agent manually.
Creating Amazon VPC endpoint manually
Before you can install the GuardDuty security agent, you must create an Amazon Virtual Private Cloud (Amazon VPC) endpoint. This will help GuardDuty receive the runtime events of your Amazon EC2 instances.
Note
There is no additional cost for the usage of the VPC endpoint.
To create a Amazon VPC endpoint
Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, under VPC private cloud, choose Endpoints.
-
Choose Create Endpoint.
-
On the Create endpoint page, for Service category, choose Other endpoint services.
-
For Service name, enter
com.amazonaws.
.us-east-1
.guardduty-dataMake sure to replace
us-east-1
with your AWS Region. This must be the same Region as the Amazon EC2 instance that belongs to your AWS account ID. -
Choose Verify service.
-
After the service name is successfully verified, choose the VPC where your instance resides. Add the following policy to restrict Amazon VPC endpoint usage to the specified account only. With the organization
Condition
provided below this policy, you can update the following policy to restrict access to your endpoint. To provide the Amazon VPC endpoint support to specific account IDs in your organization, see Organization condition to restrict access to your endpoint.{ "Version": "2012-10-17", "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Allow", "Principal": "*" }, { "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "
111122223333
" } }, "Action": "*", "Resource": "*", "Effect": "Deny", "Principal": "*" } ] }The
aws:PrincipalAccount
account ID must match the account containing the VPC and VPC endpoint. The following list shows how to share the VPC endpoint with other AWS account IDs:-
To specify multiple accounts to access the VPC endpoint, replace
"aws:PrincipalAccount: "
with the following block:111122223333
""aws:PrincipalAccount": [ "666666666666", "555555555555" ]
Make sure to replace the AWS account IDs with the account IDs of those accounts that need to access the VPC endpoint.
-
To allow all the members from an organization to access the VPC endpoint, replace
"aws:PrincipalAccount: "
with the following line:111122223333
""aws:PrincipalOrgID": "
o-abcdef0123
"Make sure to replace the organization
o-abcdef0123
with your organization ID. -
To restrict accessing a resource by an organization ID, add your
ResourceOrgID
to the policy. For more information, seeaws:ResourceOrgID
in the IAM User Guide."aws:ResourceOrgID": "o-abcdef0123"
-
-
Under Additional settings, choose Enable DNS name.
-
Under Subnets, choose the subnets in which your instance resides.
-
Under Security groups, choose a security group that has the in-bound port 443 enabled from your VPC (or your Amazon EC2 instance). If you don't already have a security group that has an in-bound port 443 enabled, see Create a security group in the Amazon EC2 User Guide.
If there is an issue while restricting the in-bound permissions to your VPC (or instance), provide the support to in-bound 443 port from any IP address
(0.0.0.0/0)
.
Installing the security agent manually
GuardDuty provides the following two methods to install the GuardDuty security agent on your Amazon EC2 instances:
-
Method 1 - By using AWS Systems Manager – This method requires your Amazon EC2 instance to be AWS Systems Manager managed.
-
Method 2 - By using Linux Package Managers – You can use this method whether or not your Amazon EC2 instances are AWS Systems Manager managed.
To use this method, make sure that your Amazon EC2 instances are AWS Systems Manager managed and then install the agent.
AWS Systems Manager managed Amazon EC2 instance
Use the following steps to make your Amazon EC2 instances AWS Systems Manager managed.
-
AWS Systems Manager helps you manage your AWS applications and resources end-to-end and enable secure operations at scale.
To manage your Amazon EC2 instances with AWS Systems Manager, see Setting up Systems Manager for Amazon EC2 instances in the AWS Systems Manager User Guide.
-
The following table shows the new GuardDuty managed AWS Systems Manager documents:
Document name Document type Purpose AmazonGuardDuty-RuntimeMonitoringSsmPlugin
Distributor
To package the GuardDuty security agent.
AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin
Command
To run installation/un-installation script to install the GuardDuty security agent.
For more information about AWS Systems Manager, see Amazon EC2 Systems Manager Documents in the AWS Systems Manager User Guide.
For Debian Servers
The Amazon Machine Images (AMIs) for Debian Server provided by AWS require you to install the AWS Systems Manager agent (SSM agent). You will need to perform an additional step to install the SSM agent to make your Amazon EC2 Debian Server instances SSM managed. For information about steps that you need to take, see Manually installing SSM agent on Debian Server instances in the AWS Systems Manager User Guide.
To install the GuardDuty agent for Amazon EC2 instance by using AWS Systems Manager
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. -
In the navigation pane, choose Documents
-
In Owned by Amazon, choose
AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin
. -
Choose Run Command.
-
Enter the following Run Command parameters
-
Action: Choose Install.
-
Installation Type: Choose Install or Uninstall.
-
Name:
AmazonGuardDuty-RuntimeMonitoringSsmPlugin
-
Version: If this remains empty, you'll get latest version of the GuardDuty security agent. For more information about the release versions, GuardDuty security agent for Amazon EC2 instances.
-
-
Select the targeted Amazon EC2 instance. You can select one or more Amazon EC2 instances. For more information, see AWS Systems Manager Running commands from the console in the AWS Systems Manager User Guide
-
Validate if the GuardDuty agent installation is healthy. For more information, see Validating GuardDuty security agent installation status.
With this method, you can install the GuardDuty security agent by running RPM scripts or Debian scripts. Based on the operating systems, you can choose a preferred method:
-
Use RPM scripts to install the security agent on OS distributions AL2 or AL2023.
-
Use Debian scripts to install the security agent on OS distributions Ubuntu or Debian. For information about supported Ubuntu and Debian OS distributions, see Validating architectural requirements.
Out of memory error
If you experience an out-of-memory
error while installing or updating
the GuardDuty security agent for Amazon EC2 manually, see Troubleshooting out of memory
error.
Validating GuardDuty security agent installation status
To validate if the GuardDuty security agent is healthy
-
Run the following command to check the status of the GuardDuty security agent:
sudo systemctl status amazon-guardduty-agent
If you want to view the security agent installation logs, they are available under
/var/log/amzn-guardduty-agent/
.
To view the logs, do sudo journalctl -u amazon-guardduty-agent
.
Updating the GuardDuty security agent manually
You can update the GuardDuty security agent by using the Run command. You can follow the same steps that you used to install the GuardDuty security agent.