Installing and updating security agent manually for Amazon EC2 instance - Amazon GuardDuty

Installing and updating security agent manually for Amazon EC2 instance

This section provides the steps to manually install and update the security agent for your Amazon EC2 resources.

After you enable Runtime Monitoring, you will need to install the GuardDuty security agent manually. By installing the agent, GuardDuty will receive the runtime events from the Amazon EC2 instances. When GuardDuty releases a new agent version for this resource, you can update the agent version in your account. For more about latest agent versions, see GuardDuty security agent for Amazon EC2 instances.

To manage the GuardDuty security agent, you must create an Amazon VPC endpoint and then, follow the steps to install the security agent manually.

Prerequisite – Creating Amazon VPC endpoint manually

Before you can install the GuardDuty security agent, you must create an Amazon Virtual Private Cloud (Amazon VPC) endpoint. This will help GuardDuty receive the runtime events of your Amazon EC2 instances.

Note

There is no additional cost for the usage of the VPC endpoint.

To create a Amazon VPC endpoint
  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under VPC private cloud, choose Endpoints.

  3. Choose Create Endpoint.

  4. On the Create endpoint page, for Service category, choose Other endpoint services.

  5. For Service name, enter com.amazonaws.us-east-1.guardduty-data.

    Make sure to replace us-east-1 with your AWS Region. This must be the same Region as the Amazon EC2 instance that belongs to your AWS account ID.

  6. Choose Verify service.

  7. After the service name is successfully verified, choose the VPC where your instance resides. Add the following policy to restrict Amazon VPC endpoint usage to the specified account only. With the organization Condition provided below this policy, you can update the following policy to restrict access to your endpoint. To provide the Amazon VPC endpoint support to specific account IDs in your organization, see Organization condition to restrict access to your endpoint.

    { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Allow", "Principal": "*" }, { "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "111122223333" } }, "Action": "*", "Resource": "*", "Effect": "Deny", "Principal": "*" } ] }

    The aws:PrincipalAccount account ID must match the account containing the VPC and VPC endpoint. The following list shows how to share the VPC endpoint with other AWS account IDs:

    • To specify multiple accounts to access the VPC endpoint, replace "aws:PrincipalAccount: "111122223333" with the following block:

      "aws:PrincipalAccount": [ "666666666666", "555555555555" ]

      Make sure to replace the AWS account IDs with the account IDs of those accounts that need to access the VPC endpoint.

    • To allow all the members from an organization to access the VPC endpoint, replace "aws:PrincipalAccount: "111122223333" with the following line:

      "aws:PrincipalOrgID": "o-abcdef0123"

      Make sure to replace the organization o-abcdef0123 with your organization ID.

    • To restrict accessing a resource by an organization ID, add your ResourceOrgID to the policy. For more information, see aws:ResourceOrgID in the IAM User Guide.

      "aws:ResourceOrgID": "o-abcdef0123"
  8. Under Additional settings, choose Enable DNS name.

  9. Under Subnets, choose the subnets in which your instance resides.

  10. Under Security groups, choose a security group that has the in-bound port 443 enabled from your VPC (or your Amazon EC2 instance). If you don't already have a security group that has an in-bound port 443 enabled, see Create a security group for your VPC in the Amazon VPC User Guide.

    If there is an issue while restricting the in-bound permissions to your VPC (or instance), you can the in-bound 443 port from any IP address (0.0.0.0/0). However, GuardDuty recommends using IP addresses that matches the CIDR block for your VPC. For more information, see VPC CIDR blocks in the Amazon VPC User Guide.