Managing security agent manually for Amazon EKS cluster
This section describes how you can manage your Amazon EKS add-on agent (GuardDuty agent) after you
enable Runtime Monitoring. To use Runtime Monitoring, you must enable Runtime Monitoring and configure the Amazon EKS add-on,
aws-guardduty-agent
. Performing only one of these two steps will not help
GuardDuty detect potential threats or generate findings.
Prerequisites to deploying
GuardDuty security agent
This section describes the prerequisites to deploying GuardDuty security agent for your
EKS clusters manually. Before proceeding, make sure you have already configured Runtime Monitoring
for your accounts. The GuardDuty security agent (EKS add-on) will not work if you don't
configure Runtime Monitoring. For more information, see Enabling GuardDuty Runtime Monitoring. After you complete the following
steps, see Deploying GuardDuty security agent.
Choose your preferred access method to create an Amazon VPC endpoint.
- Console
-
Create VPC endpoint
Open the Amazon VPC console at
https://console.aws.amazon.com/vpc/.
-
In the navigation pane, under Virtual private
cloud, choose Endpoints.
-
Choose Create Endpoint.
-
On the Create endpoint page, for
Service category, choose Other
endpoint services.
-
For Service name, enter
com.amazonaws.us-east-1
.guardduty-data
.
Make sure to replace us-east-1
with the
correct Region. This must be the same Region as the EKS cluster that
belongs to your AWS account ID.
-
Choose Verify service.
-
After the service name is successfully verified, choose the
VPC where your cluster resides. Add the
following policy to restrict VPC endpoint usage to specified account
only. With the organization Condition
provided below
this policy, you can update the following policy to restrict access
to your endpoint. To provide VPC endpoint support to specific
account IDs in your organization, see Organization condition to restrict access to your endpoint.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
},
{
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "111122223333
"
}
},
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Principal": "*"
}
]
}
The aws:PrincipalAccount
account ID must match the
account containing the VPC and VPC endpoint. The following list
shows how to share the VPC endpoint with other AWS account
IDs:
Organization condition to restrict access to your
endpoint
-
To specify multiple accounts to access the VPC endpoint,
replace "aws:PrincipalAccount":
"111122223333
"
with the following:
"aws:PrincipalAccount": [
"666666666666
",
"555555555555
"
]
-
To allow all the members from an organization to access
the VPC endpoint, replace "aws:PrincipalAccount":
"111122223333
"
with the following:
"aws:PrincipalOrgID": "o-abcdef0123
"
-
To restrict accessing a resource to an organization ID,
add your ResourceOrgID
to the policy.
For more information, see ResourceOrgID.
"aws:ResourceOrgID": "o-abcdef0123
"
-
Under Additional settings, choose
Enable DNS name.
-
Under Subnets, choose the subnets in which
your cluster resides.
-
Under Security groups, choose a security
group that has the in-bound port 443 enabled from your VPC (or your
EKS cluster). If you don't already have a security group that has an
in-bound port 443 enabled, Create a security group.
If there is an issue while restricting the in-bound permissions to
your VPC (or cluster), provide the support to in-bound 443 port from
any IP address (0.0.0.0/0
).
- API/CLI
-
-
Invoke CreateVpcEndpoint.
-
Use the following values for the parameters:
-
For Service name, enter
com.amazonaws.us-east-1
.guardduty-data
.
Make sure to replace us-east-1
with the correct Region. This must be the same Region as the
EKS cluster that belongs to your AWS account ID.
-
For DNSOptions, enable private DNS option by
setting it to true
.
-
For AWS Command Line Interface, see create-vpc-endpoint.
You can configure specific parameters of your GuardDuty security agent for Amazon EKS. This support is
available for GuardDuty security agent version 1.5.0 and above. For information about latest add-on versions,
see GuardDuty security agent for Amazon EKS clusters.
- Why should I update the security agent configuration schema
Configuration schema for the GuardDuty security agent is the same across all
containers within your Amazon EKS clusters. When the default values do not align with the
associated workloads and instance size, consider configuring the CPU settings, memory settings, PriorityClass
,
and dnsPolicy
settings.
Regardless of how you manage the GuardDuty agent for your Amazon EKS clusters,
you can configure or update the existing configuration of these parameters.
Automated agent configuration behavior with configured parameters
When GuardDuty manages the security agent (EKS add-on) on your behalf, it updates the add-on, as needed. GuardDuty will set the value of
the configurable parameters to a default value. However, you can still update the parameters to a desired value. If this leads to a conflict,
the default option to resolveConflicts is None
.
For information about the steps to configure the add-on parameters, see:
The following tables provide the ranges and values that you can use to deploy the Amazon EKS add-on manually or update the existing add-on settings.
- CPU settings
-
Parameters |
Default value |
Configurable range |
Requests
|
200m
|
Between 200m and 10000m, both inclusive
|
Limits
|
1000m
|
- Memory settings
-
Parameters |
Default value |
Configurable range |
Requests
|
256Mi
|
Between 256Mi and 20000Mi, both inclusive
|
Limits
|
1024Mi
|
PriorityClass
settings
-
When GuardDuty creates an Amazon EKS add-on for you, the
assigned PriorityClass
is aws-guardduty-agent.priorityclass
. This
means that no action will be taken based on the priority of
the agent pod. You can configure this add-on parameter by choosing one of the following
PriorityClass
options:
Configurable PriorityClass |
preemptionPolicy value
|
preemptionPolicy description
|
Pod value |
aws-guardduty-agent.priorityclass
|
Never
|
No action
|
1000000
|
aws-guardduty-agent.priorityclass-high
|
PreemptLowerPriority
|
Assigning this value will preempt a pod running with the priority
value lower than the agent pod value.
|
100000000
|
system-cluster-critical 1
|
PreemptLowerPriority
|
2000000000
|
system-node-critical 1
|
PreemptLowerPriority
|
2000001000
|
1 Kubernetes provides these two
PriorityClass
options – system-cluster-critical
and
system-node-critical
. For more information, see
PriorityClass in the Kubernetes documentation.
dnsPolicy
settings
Choose one of the following DNS policy options that Kubernetes supports. When no configuration is specified,
ClusterFirst
is used as the default value.
-
ClusterFirst
-
ClusterFirstWithHostNet
-
Default
For information about these policies, see Pod's DNS Policy in the Kubernetes documentation.
Deploying GuardDuty security agent
This section describes how you can deploy the GuardDuty security agent for the first time
for specific EKS clusters. Before you proceed with this section, make sure you have
already set up the prerequisites and enabled Runtime Monitoring for your accounts. The GuardDuty
security agent (EKS add-on) will not work if you do not enable Runtime Monitoring.
Choose your preferred access method to deploy the GuardDuty security agent for the first
time.
- Console
-
Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
-
Choose your Cluster name.
-
Choose the Add-ons tab.
-
Choose Get more add-ons.
-
On the Select add-ons page, choose
Amazon GuardDuty Runtime Monitoring.
-
On the Configure selected add-on settings
page, use the default settings. If the Status
of your EKS add-on is Requires activation,
choose Activate GuardDuty. This action will open
the GuardDuty console to configure Runtime Monitoring for your accounts.
-
After you've configured Runtime Monitoring for your accounts, switch back to
the Amazon EKS console. The Status of your EKS
add-on should have changed to Ready to install.
-
(Optional)
Providing EKS add-on configuration schema
For the add-on Version, if you choose
v1.5.0 and above, Runtime Monitoring supports
configuring specific parameters of the GuardDuty agent. For information
about parameter ranges, see Configure EKS add-on
parameters.
-
Expand Optional configuration
settings to view the configurable parameters
and their expected value and format.
-
Set the parameters. The values must be in the range
provided in Configure EKS add-on
parameters.
-
Choose Save changes to create the
add-on based on the advanced configuration.
-
For Conflict resolution method, the option that you choose will
be used to resolve a conflict when you update the value of a parameter to a non-default value. For more
information about the listed options, see resolveConflicts
in the Amazon EKS API Reference.
-
Choose Next.
-
On the Review and create page, verify all the
details, and choose Create.
-
Navigate back to the cluster details and choose the
Resources tab.
-
You can view the new pods with the prefix
aws-guardduty-agent.
- API/CLI
-
You can configure the Amazon EKS add-on agent
(aws-guardduty-agent
) using either of the following
options:
-
Run CreateAddon for your account.
-
For the add-on version
, if you choose v1.5.0 and above, Runtime Monitoring supports
configuring specific parameters of the GuardDuty agent. For more
information, see Configure EKS add-on
parameters.
Use the following values for the request parameters:
-
For addonName
, enter
aws-guardduty-agent
.
You can use the following AWS CLI example when using
configurable values supported for addon versions v1.5.0 and
above. Make sure to replace the placeholder values
highlighted in red and the associated
Example.json
with the configured
values.
aws eks create-addon --region us-east-1
--cluster-name myClusterName
--addon-name aws-guardduty-agent --addon-version v1.5.0-eksbuild.1
--configuration-values 'file://example.json'
Example.json
{
"priorityClassName": "aws-guardduty-agent.priorityclass-high",
"dnsPolicy": "Default",
"resources": {
"requests": {
"cpu": "237m",
"memory": "512Mi"
},
"limits": {
"cpu": "2000m",
"memory": "2048Mi"
}
}
}
-
For information about supported addonVersion
,
see Kubernetes versions supported by GuardDuty security
agent.
-
Alternatively, you can use AWS CLI. For more information, see create-addon.
Verifying configuration schema updates
After you have configured the parameters, perform the following steps to verify that the configuration
schema has been updated:
Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
-
In the navigation pane, choose Clusters.
-
On the Clusters page, select the Cluster name for which you want to
verify the updates.
-
Choose the Resources tab.
-
From the Resource types pane, under Workloads,
choose DaemonSets.
-
Select aws-guardduty-agent.
-
On the aws-guardduty-agent page, choose Raw view to view the
unformatted JSON response. Verify that the configurable parameters display the value that you provided.
After you verify, switch to the GuardDuty console. Select the corresponding AWS Region and view the
coverage status for your Amazon EKS clusters. For more information, see
Coverage for Amazon EKS clusters.