GuardDuty Runtime Monitoring - Amazon GuardDuty

GuardDuty Runtime Monitoring

The GuardDuty Runtime Monitoring feature also includes the preview release of Amazon EC2 instance support, which is subject to Section 2 of the AWS Service Terms ("Betas and Previews").

Runtime Monitoring monitors and analyzes operating system-level events to help you detect potential threats in specific AWS workloads in your environment. Runtime Monitoring was previously available for only Amazon Elastic Kubernetes Service (Amazon EKS) resources, but GuardDuty is now expanding the Runtime Monitoring feature to provide threat detection for the Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Compute Cloud (Amazon EC2) resources. Presently, the Amazon EC2 instance support is available as a preview release and is subject to change.

Runtime Monitoring uses a GuardDuty security agent that adds visibility into runtime behavior, such as file access, process execution, and network connections. For each resource type that you want to monitor for potential threats, you can deploy a GuardDuty security agent that corresponds to the specific resource only. With this extended capability, GuardDuty can help you identify and respond to potential threats that may target applications and data running in your individual workloads and instances. For example, a threat can potentially start by compromising a single container that runs a vulnerable web application. This web application has access permissions to the underlying containers and workloads. In this scenario, incorrectly configured credentials could potentially lead to a broader access to the account, and the data stored within it. By analyzing the runtime events of the individual containers and workloads, GuardDuty can potentially identify container compromise in an initial phase, compromise of AWS credentials, and detect attempts to escalate privileges, make suspicious API requests, and maliciously access the data in your environment.