Prerequisites for AWS Fargate (Amazon ECS only) support - Amazon GuardDuty

Prerequisites for AWS Fargate (Amazon ECS only) support

Validating architectural requirements

The platform that you use may impact how GuardDuty security agent supports GuardDuty in receiving the runtime events from your Amazon ECS clusters. You must validate that you're using one of the verified platforms.

Initial considerations:

The AWS Fargate (Fargate) platform for your Amazon ECS clusters must be Linux. The corresponding platform version must be at least 1.4.0, or LATEST. For more information about the platform versions, see Linux platform versions in the Amazon Elastic Container Service Developer Guide.

The Windows platform versions are not yet supported.

Verified platforms

The OS distribution and CPU architecture impacts the support provided by the GuardDuty security agent. The following table shows the verified configuration for deploying the GuardDuty security agent and configuring Runtime Monitoring.

OS distribution Kernel support CPU architecture
x64 (AMD64) Graviton (ARM64)
Linux eBPF, Tracepoints, Kprobe Supported Supported

Provide ECR permissions and subnet details

Before enabling Runtime Monitoring, you must provide the following details:

Provide a task execution role with permissions

The task execution role requires you to have certain Amazon Elastic Container Registry (Amazon ECR) permissions. You can either use the AmazonECSTaskExecutionRolePolicy managed policy or add the following permissions to your TaskExecutionRole policy:

... "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", ...

To further restrict the Amazon ECR permissions, you can add the Amazon ECR repository URI that hosts the GuardDuty security agent for AWS Fargate (Amazon ECS only). For more information, see Repository for GuardDuty agent on AWS Fargate (Amazon ECS only).

Provide subnet details in task definition

You can either provide the public subnets as an input in your task definition or create an Amazon ECR VPC endpoint.

  • Using task definition option – Running the CreateService and UpdateService APIs in the Amazon Elastic Container Service API Reference requires you to pass the subnet information. For more information, see Amazon ECS task definitions in the Amazon Elastic Container Service Developer Guide.

  • Using the Amazon ECR VPC endpoint option – Provide network path to Amazon ECR - Ensure that the Amazon ECR repository URI that hosts the GuardDuty security agent is network accessible. If your Fargate tasks will run in a private subnet, then Fargate will need the network path to download the GuardDuty container.

    For information about enabling Fargate to download the GuardDuty container, see Using Amazon ECR images with Amazon ECS in the Amazon Elastic Container Registry User Guide.

Validating your organization service control policy

This step is required for GuardDuty to support Runtime Monitoring and assess coverage across different resource types.

If you have set up a service control policy (SCP) to manage permissions in your organization, validate that permissions boundary is not restricting guardduty:SendSecurityTelemetry in your TaskExecutionRole and its policy.

The following policy is an example for allowing the guardduty:SendSecurityTelemetry policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ..., ..., "guardduty:SendSecurityTelemetry" ], "Resource": "*" } ] }
  1. Use the following steps to validate that the Permissions boundary doesn' restrict guardduty:SendSecurityTelemetry:

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, under Access management, choose Roles.

    3. Choose the Role name for the details page.

    4. Expand the Permissions boundary section. Ensure that the guardduty:SendSecurityTelemetry is not denied or restricted.

  2. Use the following steps to validate that the Permissions boundary for your TaskExecutionRole policy doesn't restrict guardduty:SendSecurityTelemetry:

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, under Access management, choose Policies.

    3. Choose the Policy name for the details page.

    4. Under the Entities attached tab, view the Attached as a permissions boundary section. Ensure that the guardduty:SendSecurityTelemetry is not denied or restricted.

For information about policies and permissions, see Permissions boundaries in the IAM User Guide.

If you are a member account, connect with the associated delegated administrator. For information about managing SCPs for your organization, see Service control policies (SCPs).

CPU and memory limits

In the Fargate task definition, you must specify the CPU and memory value at the task level. The following table shows the valid combinations of task-level CPU and memory values, and the corresponding GuardDuty security agent maximum memory limit for the GuardDuty container.

CPU value Memory value GuardDuty agent maximum memory limit

256 (.25 vCPU)

512 MiB, 1 GB, 2GB

128 MB

512 (.5 vCPU)

1 GB, 2 GB, 3 GB, 4 GB

1024 (1 vCPU)

2 GB, 3 GB, 4 GB

5 GB, 6 GB, 7 GB, 8 GB

2048 (2 vCPU)

Between 4 GB and 16 GB in 1 GB increments

4096 (4 vCPU)

Between 8 GB and 20 GB in 1 GB increments

8192 (8 vCPU)

Between 16 GB and 28 GB in 4 GB increments

256 MB

Between 32 GB and 60 GB in 4 GB increments

512 MB

16384 (16 vCPU)

Between 32 GB and 120 GB in 8 GB increments

1 GB

After you enable Runtime Monitoring and assess that the coverage status of your cluster is Healthy, you can set up and view the Container insight metrics. For more information, Setting up monitoring on Amazon ECS cluster.

The next step is to configure Runtime Monitoring and also configure the security agent.