Prerequisites for AWS Fargate (Amazon ECS only) support - Amazon GuardDuty

Prerequisites for AWS Fargate (Amazon ECS only) support

Validating architectural requirements

The platform that you use may impact how GuardDuty security agent supports GuardDuty in receiving the runtime events from your Amazon ECS clusters. You must validate that you're using one of the verified platforms.

Initial considerations:

The AWS Fargate (Fargate) platform for your Amazon ECS clusters must be Linux. The corresponding platform version must be at least 1.4.0, or LATEST. For more information about the platform versions, see Linux platform versions in the Amazon Elastic Container Service Developer Guide.

The Windows platform versions are not yet supported.

Verified platforms

The OS distribution and CPU architecture impacts the support provided by the GuardDuty security agent. The following table shows the verified configuration for deploying the GuardDuty security agent and configuring Runtime Monitoring.

OS distribution Kernel support CPU architecture
x64 (AMD64) Graviton (ARM64)
Linux eBPF, Tracepoints, Kprobe Supported Supported

Provide ECR permissions and subnet details

Before enabling Runtime Monitoring, you must provide the following details:

Provide a task execution role with permissions

The task execution role requires you to have certain Amazon Elastic Container Registry (Amazon ECR) permissions. You can either use the AmazonECSTaskExecutionRolePolicy managed policy or add the following permissions to your TaskExecutionRole policy:

... "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", ...

To further restrict the Amazon ECR permissions, you can add the Amazon ECR repository URI that hosts the GuardDuty security agent for AWS Fargate (Amazon ECS only). For more information, see Repository for GuardDuty agent on AWS Fargate (Amazon ECS only).

Provide subnet details in task definition

You can either provide the public subnets as an input in your task definition or create an Amazon ECR VPC endpoint.

  • Using task definition option – Running the CreateService and UpdateService APIs in the Amazon Elastic Container Service API Reference requires you to pass the subnet information. For more information, see Amazon ECS task definitions in the Amazon Elastic Container Service Developer Guide.

  • Using the Amazon ECR VPC endpoint option – Provide network path to Amazon ECR - Ensure that the Amazon ECR repository URI that hosts the GuardDuty security agent is network accessible. If your Fargate tasks will run in a private subnet, then Fargate will need the network path to download the GuardDuty container.

    For information about enabling Fargate to download the GuardDuty container, see Using Amazon ECR with Amazon ECS in the Amazon Elastic Container Service Developer Guide.

Validating your organization service control policy

If you have set up a service control policy (SCP) to manage permissions in your organization, make sure that the policy doesn't deny the permission guardduty:SendSecurityTelemetry. It is required for GuardDuty to support Runtime Monitoring across different resource types.

If you are a member account, connect with the associated delegated administrator. For information about managing SCPs for your organization, see Service control policies (SCPs).

CPU and memory limits

In the Fargate task definition, you must specify the CPU and memory value at the task level. The following table shows the valid combinations of task-level CPU and memory values, and the corresponding GuardDuty security agent maximum memory limit for the GuardDuty container.

CPU value Memory value GuardDuty agent maximum memory limit

256 (.25 vCPU)

512 MiB, 1 GB, 2GB

128 MB

512 (.5 vCPU)

1 GB, 2 GB, 3 GB, 4 GB

1024 (1 vCPU)

2 GB, 3 GB, 4 GB

5 GB, 6 GB, 7 GB, 8 GB

2048 (2 vCPU)

Between 4 GB and 16 GB in 1 GB increments

4096 (4 vCPU)

Between 8 GB and 20 GB in 1 GB increments

8192 (8 vCPU)

Between 16 GB and 28 GB in 4 GB increments

256 MB

Between 32 GB and 60 GB in 4 GB increments

512 MB

16384 (16 vCPU)

Between 32 GB and 120 GB in 8 GB increments

1 GB

After you enable Runtime Monitoring and assess that the coverage status of your cluster is Healthy, you can set up and view the Container insight metrics. For more information, Setting up monitoring on Amazon ECS cluster.

The next step is to configure Runtime Monitoring and also configure the security agent.