Since Amazon GuardDuty launched in 2017, GuardDuty has been able to analyzing tens of billions of occasions per minute throughout a number of AWS information sources, resembling AWS CloudTrail occasion logs, Amazon Digital Non-public Cloud (Amazon VPC) Circulate Logs, and DNS question logs, Amazon Easy Storage Service (Amazon S3) information airplane occasions, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon Relational Database Service (Amazon RDS) login occasions to guard your AWS accounts and sources.
In 2020, GuardDuty added Amazon S3 safety to constantly monitor and profile S3 information entry occasions and configurations to detect suspicious actions in Amazon S3. Final yr, GuardDuty launched Amazon EKS safety to observe management airplane exercise by analyzing Kubernetes audit logs from present and new EKS clusters in your accounts, Amazon EBS malware safety to scan malicious recordsdata residing on an EC2 occasion or container workload utilizing EBS volumes, and Amazon RDS safety to determine potential threats to information saved in Amazon Aurora databases—not too long ago typically accessible.
GuardDuty combines machine studying (ML), anomaly detection, community monitoring, and malicious file discovery utilizing numerous AWS information sources. When threats are detected, GuardDuty robotically sends safety findings to AWS Safety Hub, Amazon EventBridge, and Amazon Detective. These integrations assist centralize monitoring for AWS and associate companies, automate responses to malware findings, and carry out safety investigations from GuardDuty.
Right now, we’re asserting the overall availability of Amazon GuardDuty EKS Runtime Monitoring to detect runtime threats from over 30 safety findings to guard your EKS clusters. The brand new EKS Runtime Monitoring makes use of a totally managed EKS add-on that provides visibility into particular person container runtime actions, resembling file entry, course of execution, and community connections.
GuardDuty can now determine particular containers inside your EKS clusters which might be doubtlessly compromised and detect makes an attempt to escalate privileges from a person container to the underlying Amazon EC2 host and the broader AWS surroundings. GuardDuty EKS Runtime Monitoring findings present metadata context to determine potential threats and include them earlier than they escalate.
Configure EKS Runtime Monitoring in GuardDuty
To get began, first allow EKS Runtime Monitoring with only a few clicks within the GuardDuty console.
When you allow EKS Runtime Monitoring, GuardDuty can begin monitoring and analyzing the runtime-activity occasions for all the prevailing and new EKS clusters on your accounts. If you’d like GuardDuty to deploy and replace the required EKS-managed add-on for all the prevailing and new EKS clusters in your account, select Handle agent robotically. This may also create a VPC endpoint by means of which the safety agent delivers the runtime occasions to GuardDuty.
For those who configure EKS Audit Log Monitoring and runtime monitoring collectively, you’ll be able to obtain optimum EKS safety each on the cluster management airplane degree, and all the way down to the person pod or container working system degree. When used collectively, menace detection will likely be extra contextual to permit fast prioritization and response. For instance, a runtime-based detection on a pod exhibiting suspicious conduct could be augmented by an audit log-based detection, indicating the pod was unusually launched with elevated privileges.
These choices are default, however they’re configurable, and you’ll uncheck one of many packing containers with the intention to disable EKS Runtime Monitoring. If you disable EKS Runtime Monitoring, GuardDuty instantly stops monitoring and analyzing the runtime-activity occasions for all the prevailing EKS clusters. For those who had configured automated agent administration by means of GuardDuty, this motion additionally removes the safety agent that GuardDuty had deployed.
To be taught extra, see Configuring EKS Runtime Monitoring within the AWS documentation.
Handle GuardDuty Agent Manually
If you wish to manually deploy and replace the EKS managed add-on, together with the GuardDuty agent, per cluster in your account, uncheck Handle agent robotically within the EKS safety configuration.
When managing the add-on manually, you’re additionally answerable for creating the VPC endpoint by means of which the safety agent delivers the runtime occasions to GuardDuty. Within the VPC endpoint console, select Create endpoint. Within the step, select Different endpoint companies for Service class, enter
com.amazonaws.us-east-1.guardduty-data for Service identify within the US East (N. Virginia) Area, and select Confirm service.
After the service identify is efficiently verified, select VPC and subnets the place your EKS cluster resides. Underneath Further settings, select Allow DNS identify. Underneath Safety teams, select a safety group that has the in-bound port 443 enabled out of your VPC (or your EKS cluster).
Add the next coverage to limit VPC endpoint utilization to the desired account solely:
Now, you’ll be able to set up the Amazon GuardDuty EKS Runtime Monitoring add-on on your EKS clusters. Choose this add-on within the Add-ons tab in your EKS cluster profile on the Amazon EKS console.
If you allow EKS Runtime Monitoring in GuardDuty and deploy the Amazon EKS add-on on your EKS cluster, you’ll be able to view the brand new pods with the prefix
aws-guardduty-agent. GuardDuty now begins to devour runtime-activity occasions from all EC2 hosts and containers within the cluster. GuardDuty then analyzes these occasions for potential threats.
These pods acquire numerous occasion varieties and ship them to the GuardDuty backend for menace detection and evaluation. When managing the add-on manually, you must undergo these steps for every EKS cluster that you simply need to monitor, together with new EKS clusters.
To be taught extra, see Managing GuardDuty agent manually within the AWS documentation.
Checkout EKS Runtime Safety Findings
When GuardDuty detects a possible menace and generates a safety discovering, you’ll be able to view the main points of the corresponding findings. These safety findings point out both a compromised EC2 occasion, container workload, an EKS cluster, or a set of compromised credentials in your AWS surroundings.
If you wish to generate EKS Runtime Monitoring pattern findings for testing functions, see Producing pattern findings in GuardDuty within the AWS documentation. Right here is an instance of potential safety points: a newly created or not too long ago modified binary file in an EKS cluster has been executed.
The ResourceType for an EKS Safety discovering sort may very well be an
Container. If the Useful resource sort within the discovering particulars is
EKSCluster, it signifies that both a pod or a container inside an EKS cluster is doubtlessly compromised. Relying on the possibly compromised useful resource sort, the discovering particulars could include Kubernetes workload particulars, EKS cluster particulars, or occasion particulars.
The Runtime particulars resembling course of particulars and any required context describe details about the noticed course of, and the runtime context describes any further details about the possibly suspicious exercise.
To remediate a compromised pod or container picture, see Remediating EKS Runtime Monitoring findings within the AWS documentation. This doc describes the beneficial remediation steps for every useful resource sort. To be taught extra about safety discovering varieties, see GuardDuty EKS Runtime Monitoring discovering varieties within the AWS documentation.
Now you can use Amazon GuardDuty for EKS Runtime Monitoring. For a full listing of Areas the place EKS Runtime Monitoring is accessible, go to region-specific characteristic availability.
The primary 30 days of GuardDuty for EKS Runtime Monitoring can be found at no further cost for present GuardDuty accounts. For those who enabled GuardDuty for the primary time, EKS Runtime Monitoring will not be enabled by default, and must be enabled as described above. After the trial interval ends within the GuardDuty, you’ll be able to see the estimated value of EKS Runtime Monitoring. To be taught extra, see the GuardDuty pricing web page.
For extra data, see the Amazon GuardDuty Consumer Information and ship suggestions to AWS re:Submit for Amazon GuardDuty or by means of your normal AWS help contacts.