Uninstalling security agent manually for Amazon EC2 resources
This section provides methods to uninstall the GuardDuty security agent from your Amazon EC2 resources. When you manage the security agent manually, you're responsible to remove the agent from the resources. GuardDuty will not take any action on the resources that you manage.
Choose a preferred access method to uninstall the security agent in your Amazon EC2 resources.
Method 1 - By using the Run command
To uninstall the GuardDuty security agent by using Run command
-
You can uninstall the GuardDuty security agent by following the steps as specified in AWS Systems Manager Run Command in the AWS Systems Manager User Guide. Use the Uninstall action in the parameters to uninstall the GuardDuty security agent.
In the Targets section, make sure that the impact is only on those Amazon EC2 instances from which you want to uninstall the security agent.
Use the following GuardDuty document and distributor:
-
Document name:
AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin
-
Distributor:
AmazonGuardDuty-RuntimeMonitoringSsmPlugin
-
-
After providing all the details, when you choose Run, the security agent that it deployed on the targeted Amazon EC2 instances is removed.
To remove the Amazon VPC endpoint configuration, you must disable both Runtime Monitoring and Amazon EKS Runtime Monitoring.
Method 2 - By using Linux Package Managers
-
Command to uninstall
The following command will uninstall the GuardDuty security agent from the Amazon EC2 instance to which you connect:
-
For RPM:
sudo rpm -e amazon-guardduty-agent
-
For Debian:
sudo dpkg --purge amazon-guardduty-agent
After you run the command, you can also check the logs associated with the command.
-
Delete the Amazon VPC endpoint
When you want to disable Runtime Monitoring or uninstall the GuardDuty security agent for your account, you can also choose to delete the Amazon VPC endpoint that was created manually (Prerequisite – Creating Amazon VPC endpoint manually).
To delete the Amazon VPC endpoint by using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Endpoints.
-
Select the endpoint that was created manually at the time of enabling Runtime Monitoring.
-
Choose Actions, Delete VPC endpoints.
-
When prompted for confirmation, enter
delete
. -
Choose Delete.
To delete the Amazon VPC endpoint by using AWS CLI
-
delete-vpc-endpoints
(AWS Command Line Interface) -
Remove-EC2VpcEndpoint Cmdlet (Tools for Windows PowerShell)