Approaches to manage GuardDuty security agent

Amazon EKS clusters - Approaches to manage GuardDuty security agent

For GuardDuty to consume the runtime events from your EKS clusters at account level or cluster level, it is required to manage the GuardDuty security agent for the corresponding clusters.

Approaches to manage GuardDuty security agent

Prior to September 13, 2023, you could configure GuardDuty to manage the security agent at the account level. This behavior indicated that by default, GuardDuty will manage the security agent on all the EKS clusters that belong to an AWS account. Now, GuardDuty provides a granular capability to help you choose the EKS clusters where you want GuardDuty to manage the security agent.

When you choose to Manage GuardDuty security agent manually, you can still select the EKS clusters that you want to monitor. However, to manage the agent manually, creating a Amazon VPC endpoint for your AWS account is a prerequisite.

Note

Regardless of the approach that you use to manage the GuardDuty security agent, EKS Runtime Monitoring is always enabled at the account level.

Manage security agent through GuardDuty

GuardDuty deploys and manages the security agent on your behalf. At any point in time, you can monitor the EKS clusters in your account by using one of the following approaches.

Monitor all of the EKS clusters

  • When to use this approach – Use this approach when you want GuardDuty to deploy and manage the security agent for all the EKS clusters in your account. By default, GuardDuty will also deploy the security agent on a potentially new EKS cluster created in your account.

  • Impact of using this approach:

    • GuardDuty creates an Amazon Virtual Private Cloud (Amazon VPC) endpoint through which the GuardDuty security agent delivers the runtime events to GuardDuty. There is no additional cost for the creation of the Amazon VPC endpoint when you manage the security agent through GuardDuty.

    • It is required that your worker node has a valid network path to an active guardduty-data VPC endpoint. GuardDuty deploys the security agent on your EKS clusters. Amazon Elastic Kubernetes Service (Amazon EKS) will coordinate the deployment of the security agent on the nodes within the EKS clusters.

    • On the basis of IP availability, GuardDuty selects the subnet to create a VPC endpoint. If you use advanced network topologies, you must validate that the connectivity is possible.

  • Consideration – Presently, when you use this option, EKS Runtime Monitoring doesn't create a shared VPC.

Monitor all of the EKS clusters and exclude selective EKS clusters

  • When to use this approach – Use this approach when you want GuardDuty to manage the security agent for all EKS clusters in your account but exclude selective EKS clusters. This method uses a tag-based1 approach wherein you can tag the EKS clusters for which you don't want to receive the runtime events. The pre-defined tag must have GuardDutyManaged-false as the key-value pair.

  • Impact of using this approach:

    • This approach requires that you to enable GuardDuty agent auto-management only after adding tags to the EKS clusters that you want to exclude from monitoring.

      Therefore, the impact when you Manage security agent through GuardDuty applies to this approach too. When you add tags prior to enabling GuardDuty agent auto-management, GuardDuty will neither deploy nor manage the security agent for the EKS clusters that are excluded from monitoring.

  • Considerations:

    • You must add the tag key-value pair as GuardDutyManaged:false for the selective EKS clusters before enabling Automated agent configuration otherwise, the GuardDuty security agent will be deployed on all the EKS clusters until you use the tag.

    • You must prevent the tags from being modified, except by trusted identities.

      Important

      Manage permissions for modifying the value of the GuardDutyManaged tag for your EKS cluster by using service control policies or IAM policies. For more information, see Service control policies (SCPs) in the AWS Organizations User Guide or Control access to AWS resources in the IAM User Guide.

    • For a potentially new EKS cluster that you don't want to monitor, make sure to add the GuardDutyManaged-false key-value pair at the time of creating this EKS cluster.

    • This approach will also have the same consideration as specified for Monitor all of the EKS clusters.

Monitor selective EKS clusters

  • When to use this approach – Use this approach when you want GuardDuty to deploy and manage the updates to the security agent only for selective EKS clusters in your account. This method uses a tag-based1 approach wherein you can tag the EKS cluster for which you want to receive the runtime events.

  • Impact of using this approach:

    • By using inclusion tags, GuardDuty will automatically deploy and manage the security agent only for the selective EKS clusters that are tagged with GuardDutyManaged-true as the key-value pair.

    • Using this approach will also have the same impact as specified for Monitor all of the EKS clusters.

  • Considerations:

    • If the value of the GuardDutyManaged tag is not set to true, the inclusion tag will not work as expected and this may impact monitoring your EKS cluster.

    • To ensure that your selective EKS clusters are being monitored, you need to prevent the tags from being modified, except by trusted identities.

      Important

      Manage permissions for modifying the value of the GuardDutyManaged tag for your EKS cluster by using service control policies or IAM policies. For more information, see Service control policies (SCPs) in the AWS Organizations User Guide or Control access to AWS resources in the IAM User Guide.

    • For a potentially new EKS cluster that you don't want to monitor, make sure to add the GuardDutyManaged-false key-value pair at the time of creating this EKS cluster.

    • This approach will also have the same consideration as specified for Monitor all of the EKS clusters.

1For more information about tagging selective EKS clusters, see Tagging your Amazon EKS resources in the Amazon EKS User Guide.

Manage GuardDuty security agent manually

  • When to use this approach – Use this approach when you want deploy and manage the GuardDuty security agent on all of your EKS clusters manually. Ensure that EKS Runtime Monitoring is enabled for your accounts. The GuardDuty security agent may not work as expected if you don't enable EKS Runtime Monitoring.

  • Impact of using this approach – You will need to coordinate the deployment of the GuardDuty security agent software within your EKS clusters across all accounts and AWS Regions where this feature is available.

  • Considerations – You must support secure data flow while monitoring for and addressing coverage gaps as new clusters and workloads are continuously deployed.