Prerequisites for AWS Fargate (Amazon ECS only) support
Validating architectural requirements
The platform that you use may impact how GuardDuty security agent supports GuardDuty in receiving the runtime events from your Amazon ECS clusters. You must validate that you're using one of the verified platforms.
- Initial considerations:
-
The AWS Fargate (Fargate) platform for your Amazon ECS clusters must be Linux. The corresponding platform version must be at least
1.4.0
, orLATEST
. For more information about the platform versions, see Linux platform versions in the Amazon Elastic Container Service Developer Guide.The Windows platform versions are not yet supported.
Verified platforms
The OS distribution and CPU architecture impacts the support provided by the GuardDuty security agent. The following table shows the verified configuration for deploying the GuardDuty security agent and configuring Runtime Monitoring.
OS distribution | Kernel support | CPU architecture | |
---|---|---|---|
x64 (AMD64) | Graviton (ARM64) | ||
Linux | eBPF, Tracepoints, Kprobe | Supported | Supported |
Provide ECR permissions and subnet details
Before enabling Runtime Monitoring, you must provide the following details:
- Provide a task execution role with permissions
-
The task execution role requires you to have certain Amazon Elastic Container Registry (Amazon ECR) permissions. You can either use the AmazonECSTaskExecutionRolePolicy managed policy or add the following permissions to your
TaskExecutionRole
policy:... "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", ...
To further restrict the Amazon ECR permissions, you can add the Amazon ECR repository URI that hosts the GuardDuty security agent for AWS Fargate (Amazon ECS only). For more information, see Repository for GuardDuty agent on AWS Fargate (Amazon ECS only).
- Provide subnet details in task definition
-
You can either provide the public subnets as an input in your task definition or create an Amazon ECR VPC endpoint.
-
Using task definition option – Running the CreateService and UpdateService APIs in the Amazon Elastic Container Service API Reference requires you to pass the subnet information. For more information, see Amazon ECS task definitions in the Amazon Elastic Container Service Developer Guide.
-
Using the Amazon ECR VPC endpoint option – Provide network path to Amazon ECR - Ensure that the Amazon ECR repository URI that hosts the GuardDuty security agent is network accessible. If your Fargate tasks will run in a private subnet, then Fargate will need the network path to download the GuardDuty container.
For information about enabling Fargate to download the GuardDuty container, see Using Amazon ECR images with Amazon ECS in the Amazon Elastic Container Registry User Guide.
-
Validating your organization service control policy
This step is required for GuardDuty to support Runtime Monitoring and assess coverage across different resource types.
If you have set up a service control policy (SCP) to manage permissions in your organization, validate
that permissions boundary is not restricting
guardduty:SendSecurityTelemetry
in your TaskExecutionRole
and
its policy.
The following policy is an example for allowing the
guardduty:SendSecurityTelemetry
policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ..., ..., "guardduty:SendSecurityTelemetry" ], "Resource": "*" } ] }
-
Use the following steps to validate that the Permissions boundary doesn' restrict
guardduty:SendSecurityTelemetry
:Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, under Access management, choose Roles.
Choose the Role name for the details page.
-
Expand the Permissions boundary section. Ensure that the
guardduty:SendSecurityTelemetry
is not denied or restricted.
-
Use the following steps to validate that the Permissions boundary for your
TaskExecutionRole
policy doesn't restrictguardduty:SendSecurityTelemetry
:Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, under Access management, choose Policies.
Choose the Policy name for the details page.
-
Under the Entities attached tab, view the Attached as a permissions boundary section. Ensure that the
guardduty:SendSecurityTelemetry
is not denied or restricted.
For information about policies and permissions, see Permissions boundaries in the IAM User Guide.
If you are a member account, connect with the associated delegated administrator. For information about managing SCPs for your organization, see Service control policies (SCPs).
CPU and memory limits
In the Fargate task definition, you must specify the CPU and memory value at the task level. The following table shows the valid combinations of task-level CPU and memory values, and the corresponding GuardDuty security agent maximum memory limit for the GuardDuty container.
CPU value | Memory value | GuardDuty agent maximum memory limit |
---|---|---|
256 (.25 vCPU) |
512 MiB, 1 GB, 2GB |
128 MB |
512 (.5 vCPU) |
1 GB, 2 GB, 3 GB, 4 GB |
|
1024 (1 vCPU) |
2 GB, 3 GB, 4 GB |
|
5 GB, 6 GB, 7 GB, 8 GB |
||
2048 (2 vCPU) |
Between 4 GB and 16 GB in 1 GB increments |
|
4096 (4 vCPU) |
Between 8 GB and 20 GB in 1 GB increments |
|
8192 (8 vCPU) |
Between 16 GB and 28 GB in 4 GB increments |
256 MB |
Between 32 GB and 60 GB in 4 GB increments |
512 MB |
|
16384 (16 vCPU) |
Between 32 GB and 120 GB in 8 GB increments |
1 GB |
After you enable Runtime Monitoring and assess that the coverage status of your cluster is Healthy, you can set up and view the Container insight metrics. For more information, Setting up monitoring on Amazon ECS cluster.
The next step is to configure Runtime Monitoring and also configure the security agent.