Uninstalling security agent manually for Amazon EC2 resources - Amazon GuardDuty

Uninstalling security agent manually for Amazon EC2 resources

This section provides methods to uninstall the GuardDuty security agent from your Amazon EC2 resources. When you manage the security agent manually, you're responsible to remove the agent from the resources. GuardDuty will not take any action on the resources that you manage.

Choose a preferred access method to uninstall the security agent in your Amazon EC2 resources.

Method 1 - By using the Run command

To uninstall the GuardDuty security agent by using Run command
  1. You can uninstall the GuardDuty security agent by following the steps as specified in AWS Systems Manager Run Command in the AWS Systems Manager User Guide. Use the Uninstall action in the parameters to uninstall the GuardDuty security agent.

    In the Targets section, make sure that the impact is only on those Amazon EC2 instances from which you want to uninstall the security agent.

    Use the following GuardDuty document and distributor:

    • Document name: AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin

    • Distributor: AmazonGuardDuty-RuntimeMonitoringSsmPlugin

  2. After providing all the details, when you choose Run, the security agent that it deployed on the targeted Amazon EC2 instances is removed.

    To remove the Amazon VPC endpoint configuration, you must disable both Runtime Monitoring and Amazon EKS Runtime Monitoring.

Method 2 - By using Linux Package Managers

  1. Connect with SSH from Linux or macOS.

  2. Command to uninstall

    The following command will uninstall the GuardDuty security agent from the Amazon EC2 instance to which you connect:

    • For RPM:

      sudo rpm -e amazon-guardduty-agent
    • For Debian:

      sudo dpkg --purge amazon-guardduty-agent

    After you run the command, you can also check the logs associated with the command.

Delete the Amazon VPC endpoint

When you want to disable Runtime Monitoring or uninstall the GuardDuty security agent for your account, you can also choose to delete the Amazon VPC endpoint that was created manually (Prerequisite – Creating Amazon VPC endpoint manually).

To delete the Amazon VPC endpoint by using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the endpoint that was created manually at the time of enabling Runtime Monitoring.

  4. Choose Actions, Delete VPC endpoints.

  5. When prompted for confirmation, enter delete.

  6. Choose Delete.

To delete the Amazon VPC endpoint by using AWS CLI