# Identify unauthorized behavior using Runtime Monitoring
Amazon GuardDuty is a threat detection service that helps protect your accounts, containers, workloads, and the data within your AWS environment. Using machine learning (ML) models, and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources and runtime activity to identify and prioritize potential security risks and malicious activities in your environment.
Runtime Monitoring in GuardDuty protects workloads running on Fargate and EC2 container instances by continuously monitoring AWS log and networking activity to identify malicious or unauthorized behavior. Runtime Monitoring uses a lightweight, fully managed GuardDuty security agent that analyzes on-host behavior, such as file access, process execution, and network connections. This covers issues including escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, and the presence of malware on your Amazon EC2 instances and container workloads. For more information, see [GuardDuty Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html) in the *GuardDuty User Guide*.
Your security administrator enables Runtime Monitoring for a single or multiple accounts in AWS Organizations for GuardDuty. They also select whether GuardDuty automatically deploys the GuardDuty security agent when you use Fargate. All your clusters are automatically protected, and GuardDuty manages the security agent on your behalf.
You can also manually configure the GuardDuty security agent in the following cases:
+ You use EC2 container instances
+ You need granular control to enable Runtime Monitoring at the cluster level
To use Runtime Monitoring, you must configure the clusters that are protected, and install and manage the GuardDuty security agent on your EC2 container instances.
## How Runtime Monitoring works with Amazon ECS
Runtime Monitoring uses a lightweight GuardDuty security agent that monitors Amazon ECS workload activity for how applications are requesting, gaining access and consuming underlying system resources.
For Fargate tasks, the GuardDuty security agent runs as a sidecar container for each task.
For EC2 container instances, the GuardDuty security agent runs as a process on the instance.
The GuardDuty security agent collects data from the following resources, and then sends the data to GuardDuty to process. You can view the findings in the GuardDuty console. You can also send them to other AWS services such as AWS Security Hub CSPM, or a third-party security vendor for aggregation and remediation. For information about how to view and manage findings, see [Managing Amazon GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/findings_management.html) in the *Amazon GuardDuty User Guide*.
+ Responses from the following Amazon ECS API calls:
+ [https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeClusters.html](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeClusters.html)
The response parameters include the Runtime Monitoring tag (when the tag is set) when you use the `--include TAGS` option.
+ [https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html)
For Fargate, the response parameters include the GuardDuty sidecar container.
+ [https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListAccountSettings.html](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ListAccountSettings.html)
The response parameters include the Runtime Monitoring account setting, which is set by your security administrator.
+ The container agent introspection data. For more information, see [Amazon ECS container introspection](ecs-agent-introspection.md).
+ The task metadata endpoint for the compute option:
+ [Amazon ECS task metadata endpoint version 4](task-metadata-endpoint-v4.md)
+ [Amazon ECS task metadata endpoint version 4 for tasks on Fargate](task-metadata-endpoint-v4-fargate.md)
## Considerations
Consider the following when using Runtime Monitoring:
+ Runtime Monitoring has a cost associated with it. For more information, see [Amazon GuardDuty Pricing](https://aws.amazon.com/guardduty/pricing/).
+ Runtime Monitoring is not supported on Amazon ECS Anywhere.
+ Runtime Monitoring is not supported for the Windows operating system.
+ When you use Amazon ECS Exec on Fargate, you must specify the container name because the GuardDuty security agent runs as a sidecar container.
+ You cannot use Amazon ECS Exec on the GuardDuty security agent sidecar container.
+ The IAM user that controls Runtime Monitoring at the cluster level, must have the appropriate IAM permissions for tagging. For more information, see [IAM tutorial: Define permissions to access AWS resources based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
+ Fargate tasks must use a task execution role. This role grants the tasks permission to retrieve, update, and manage the GuardDuty security agent, which is stored in an Amazon ECR private repository, on your behalf.
+ Runtime Monitoring is not supported for applications running on Amazon ECS Managed Instances.
## Resource utilization
The tag that you add to the cluster counts toward the cluster tag quota.
The GuardDuty agent sidecar container does not count toward the containers per task definition quota.
As with most security software, there is a slight overhead for GuardDuty. For information about the Fargate memory limits, see [CPU and memory limits](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html#ecs-runtime-agent-cpu-memory-limits) in the *GuardDuty User Guide*. For information about the Amazon EC2 memory limits, see [CPU and memory limit for GuardDuty agent](https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#ec2-cpu-memory-limits-gdu-agent).
# Runtime Monitoring for Amazon ECS Fargate workloads
If you use EC2 container instances, you must manually configure Runtime Monitoring. For more information, see [Runtime Monitoring for EC2 workloads on Amazon ECS](ecs-guard-duty-configure-manual.md).
You can have GuardDuty manage the security agent on your container instances. This option is only available for Fargate. This option ( GuardDuty agent management) is available in GuardDuty
When you use GuardDuty agent management, GuardDuty performs the following operations:
+ Creates VPC endpoints for GuardDuty for each VPC that hosts a cluster.
+ Retrieves, and installs the latest GuardDuty security agent as a sidecar container on all new standalone Fargate tasks, and new service deployments.
A new service deployment happens the first time you launch a service, or when you update an existing service with the ** force new deployment** option.
# Turning on Runtime Monitoring for Amazon ECS
You can configure GuardDuty to automatically manage the security agen for all your Fargate clusters.
## Prerequisites
The following are prerequisites for using Runtime Monitoring:
+ The Fargate platform version must be `1.4.0` or later for Linux.
+ IAM roles and permissions for Amazon ECS:
+ Fargate tasks must use a task execution role. This role grants the tasks permission to retrieve, update, and manage the GuardDuty security agent on your behalf. For more information see [Amazon ECS task execution IAM role](task_execution_IAM_role.md).
+ You control Runtime Monitoring for a cluster with a pre-defined tag. If your access policies restrict access based on tags, you must grant explicit permissions to your IAM users to tag clusters. For more information, see [IAM tutorial: Define permissions to access AWS resources based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
+ Connecting to the Amazon ECR repository:
The GuardDuty security agent is stored in an Amazon ECR repository. Each standalone and service task must have access to the repository. You can use one of the following options:
+ For tasks in public subnets, you can either use a public IP address for the task, or create a VPC endpoint for Amazon ECR in the subnet where the task runs. For more information, see [Amazon ECR interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html) in the *Amazon Elastic Container Registry User Guide*.
+ For tasks in private subnets, you can use a Network Address Translation (NAT) gateway, or create a VPC endpoint for Amazon ECR in the subnet where the task runs.
For more information, see [Private subnet and NAT gateway](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/networking-outbound.html#networking-private-subnet).
+ You must have the `AWSServiceRoleForAmazonGuardDuty` role for GuardDuty. For more information, see [Service-linked role permissions for GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) in the *Amazon GuardDuty User Guide*.
+ Any files that you want to protect with Runtime Monitoring must be accessible by the root user. If you manually changed the permissions of a file, you must set it to `755`.
The following are prerequisites for using Runtime Monitoring on EC2 container instances:
+ You must use version `20230929` or later of the Amazon ECS-AMI.
+ You must run Amazon ECS agent to version `1.77` or later on the container instances.
+ You must use kernel version `5.10` or later.
+ For information about the supported Linux operating systems and architectures, see [Which operating models and workloads does GuardDuty Runtime Monitoring support](https://aws.amazon.com//guardduty/faqs/?nc1=h_ls#product-faqs#guardduty-faqs#guardduty-ecs-runtime-monitoring).
+ You can use Systems Manager to manage your container instances. For more information, see [Setting up Systems Manager for EC2 instances](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-ec2.html) in the *AWS Systems Manager Session Manager User Guide*.
## Procedure
You enable Runtime Monitoring in GuardDuty. For information about how to enable the feature, see [Enabling Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html) in the *Amazon GuardDuty User Guide*.
# Adding Runtime Monitoring to existing Amazon ECS Fargate tasks
When you turn on Runtime Monitoring, all new standalone tasks, and new service deployments in the cluster are protected automatically. In order to preserve the immutability constraint, existing tasks are not affected.
## Prerequisites
1. Turn on Runtime Monitoring. For more information, see [Turning on Runtime Monitoring for Amazon ECSProcedure](ecs-guard-duty-configure-automatic-guard-duty.md).
1. Fargate tasks must use a task execution role. This role grants the tasks permission to retrieve, update, and manage the GuardDuty security agent on your behalf. For more information see [Amazon ECS task execution IAM role](task_execution_IAM_role.md).
## Procedure
+ To immediately protect a task, you need to perform one of the following actions:
+ For standalone tasks, stop the tasks, and then start them. For more information, see [Stopping an Amazon ECS task](standalone-task-stop.md) and [Running an application as an Amazon ECS task](standalone-task-create.md)
+ For tasks that are part of a service, update the service with the "force new deployment" option. For more information, see [Updating an Amazon ECS service](update-service-console-v2.md).
# Removing Runtime Monitoring from an Amazon ECS cluster
You might want to exclude certain clusters from protection, for example clusters that you use for testing. This causes GuardDuty to perform the following operations on resources in the cluster:
+ No longer deploy the GuardDuty security agent to new standalone Fargate tasks, or new service deployments.
In order to preserve the immutability constraint, existing tasks and deployments with Runtime Monitoring enabled are not affected.
+ Stop billing and no longer accepts run time events for tasks.
## Procedure
Perform the following steps to remove Runtime Monitoring from a cluster.
1. Use the Amazon ECS console or AWS CLI to set the `GuardDutyManaged` tag key on the cluster to `false`. For more information, see [Updating a cluster](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-cluster-v2.html) or [Working with tags using the CLI or API](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html#tag-resources-api-sdk). Use the following values for the tag.
**Note**
The Key and Value are case sensitive and must exactly match the strings.
Key = `GuardDutyManaged`, Value = `false`
1. Delete the GuardDuty VPC endpoint for the cluster. For more information about how to delete VPC endpoints, see [Delete an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/delete-interface-endpoint.html) in the *AWS PrivateLink User Guide*.
# Removing Runtime Monitoring for Amazon ECS from an account
When you no longer want to use Runtime Monitoring, disable the feature in GuardDuty. For information about how to disable the feature, see [Enabling Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html) in the *Amazon GuardDuty User Guide*.
GuardDuty performs the following operations:
+ Deletes the VPC endpoints for GuardDuty for each VPC that hosts a cluster.
+ No longer deploys the GuardDuty security agent to new standalone Fargate tasks, or new service deployments.
In order to preserve the immutability constraint, existing tasks and deployments are not affected until they are stopped, replicated, or scaled.
+ Stops billing and no longer accepts run time events for tasks.
# Runtime Monitoring for EC2 workloads on Amazon ECS
Use this option when you use EC2 instances for your capacity, or when you need granular control of Runtime Monitoring at the cluster-level on Fargate.
You provision the clusters for Runtime Monitoring by adding a pre-defined tag.
For EC2 container instances, you download, install, and manage the GuardDuty security agent.
For Fargate, GuardDuty manages the security agent on your behalf.
# Turning on Runtime Monitoring for Amazon ECS
You can turn on Runtime Monitoring for clusters with EC2 instances, or when you need granular control of Runtime Monitoring at the cluster-level on Fargate.
The following are prerequisites for using Runtime Monitoring:
+ The Fargate platform version must be `1.4.0` or later for Linux.
+ IAM roles and permissions for Amazon ECS:
+ Fargate tasks must use a task execution role. This role grants the tasks permission to retrieve, update, and manage the GuardDuty security agent on your behalf. For more information see [Amazon ECS task execution IAM role](task_execution_IAM_role.md).
+ You control Runtime Monitoring for a cluster with a pre-defined tag. If your access policies restrict access based on tags, you must grant explicit permissions to your IAM users to tag clusters. For more information, see [IAM tutorial: Define permissions to access AWS resources based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
+ Connecting to the Amazon ECR repository:
The GuardDuty security agent is stored in an Amazon ECR repository. Each standalone and service task must have access to the repository. You can use one of the following options:
+ For tasks in public subnets, you can either use a public IP address for the task, or create a VPC endpoint for Amazon ECR in the subnet where the task runs. For more information, see [Amazon ECR interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html) in the *Amazon Elastic Container Registry User Guide*.
+ For tasks in private subnets, you can use a Network Address Translation (NAT) gateway, or create a VPC endpoint for Amazon ECR in the subnet where the task runs.
For more information, see [Private subnet and NAT gateway](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/networking-outbound.html#networking-private-subnet).
+ You must have the `AWSServiceRoleForAmazonGuardDuty` role for GuardDuty. For more information, see [Service-linked role permissions for GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html) in the *Amazon GuardDuty User Guide*.
+ Any files that you want to protect with Runtime Monitoring must be accessible by the root user. If you manually changed the permissions of a file, you must set it to `755`.
The following are prerequisites for using Runtime Monitoring on EC2 container instances:
+ You must use version `20230929` or later of the Amazon ECS-AMI.
+ You must run Amazon ECS agent to version `1.77` or later on the container instances.
+ You must use kernel version `5.10` or later.
+ For information about the supported Linux operating systems and architectures, see [Which operating models and workloads does GuardDuty Runtime Monitoring support](https://aws.amazon.com//guardduty/faqs/?nc1=h_ls#product-faqs#guardduty-faqs#guardduty-ecs-runtime-monitoring).
+ You can use Systems Manager to manage your container instances. For more information, see [Setting up Systems Manager for EC2 instances](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-ec2.html) in the *AWS Systems Manager Session Manager User Guide*.
You turn on Runtime Monitoring in GuardDuty. For information about how to enable the feature, see [Enabling Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html) in the *Amazon GuardDuty User Guide*.
# Adding Runtime Monitoring an Amazon ECS cluster
Configure Runtime Monitoring for the cluster, and then install the GuardDuty security agent on your EC2 container instances.
## Prerequisites
1. Turn on Runtime Monitoring. For more information, see [Turning on Runtime Monitoring for Amazon ECS](ecs-guard-duty-configure-manual-guard-duty.md).
1. You control Runtime Monitoring for a cluster with a pre-defined tag. If your access policies restrict access based on tags, you must grant explicit permissions to your IAM users to tag clusters. For more information, see [IAM tutorial: Define permissions to access AWS resources based on tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
## Procedure
Perform the following operations to add Runtime Monitoring to a cluster.
1. Create a VPC endpoint for GuardDuty for each cluster VPC. For more information, see [Creating Amazon VPC endpoint manually ](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html#creating-vpc-endpoint-ec2-agent-manually) in the *GuardDuty User Guide*.
1. Configure the EC2 container instances.
1. Update the Amazon ECS agent to version `1.77` or later on the EC2 container instances in the cluster. For more information see [Updating the Amazon ECS container agent](ecs-agent-update.md).
1. Install the GuardDuty security agent on the EC2 container instances in the cluster. For more information, see [Managing the security agent on an Amazon EC2 instance manually](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html) in the *GuardDuty User Guide*.
All new and existing tasks, and deployments are immediately protected because the GuardDuty security agent runs as a process on the EC2 container instance.
1. Use the Amazon ECS console or AWS CLI to set the `GuardDutyManaged` tag key on the cluster to `true`. For more information, see [Updating a cluster](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-cluster-v2.html) or [Working with tags using the CLI or API](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html#tag-resources-api-sdk). Use the following values for the tag.
**Note**
The Key and Value are case sensitive and must exactly match the strings.
Key = `GuardDutyManaged`, Value = `true`
# Adding Runtime Monitoring to existing Amazon ECS tasks
When you turn on Runtime Monitoring, all new standalone tasks, and new service deployments in the cluster are protected automatically. In order to preserve the immutability constraint, existing tasks are not affected.
## Prerequisites
+ Turn on Runtime Monitoring. For more information, see [Turning on Runtime Monitoring for Amazon ECS](ecs-guard-duty-configure-manual-guard-duty.md).
## Procedure
+ To immediately protect a task, you need to perform one of the following actions:
+ For standalone tasks, stop the tasks, and then start them. For more information, see [Stopping an Amazon ECS task](standalone-task-stop.md) and [Running an application as an Amazon ECS task](standalone-task-create.md).
+ For tasks that are part of a service, update the service with the "force new deployment" option. For more information, see [Updating an Amazon ECS service](update-service-console-v2.md).
# Removing Runtime Monitoring from an Amazon ECS cluster
You can remove Runtime Monitoring from a cluster. This causes GuardDuty to stop monitoring all resources in the cluster.
**To remove Runtime Monitoring from a cluster**
1. Use the Amazon ECS console or AWS CLI to set the `GuardDutyManaged` tag key on the cluster to `false`. For more information, see [Updating a cluster](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-cluster-v2.html) or [Working with tags using the CLI or API](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html#tag-resources-api-sdk).
**Note**
The Key and Value are case sensitive and must exactly match the strings.
Key = `GuardDutyManaged`, Value = `false`
1. Uninstall the GuardDuty security agent on you EC2 container instances in the cluster.
For more information, see [Uninstalling the security agent manually](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html#gdu-update-security-agent-ec2) in the *GuardDuty User Guide*.
1. Delete the GuardDuty VPC endpoint for each cluster VPC. For more information about how to delete VPC endpoints, see [Delete an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/delete-interface-endpoint.html) in the *AWS PrivateLink User Guide*.
# Updating the GuardDuty security agent on your Amazon ECS container instances
For information about how to update the GuardDuty security agent on your EC2 container instances, see [Updating GuardDuty security agent](https://docs.aws.amazon.com/guardduty/latest/ug/managing-gdu-agent-ec2-manually.html#gdu-update-security-agent-ec2) in the *Amazon GuardDuty User Guide*.
# Removing Runtime Monitoring for Amazon ECS from an account
When you no longer want to use Runtime Monitoring, disable the feature in GuardDuty. For information about how to disable the feature, see [Enabling Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html) in the *Amazon GuardDuty User Guide*.
Remove Runtime Monitoring from all clusters. For more information, see [Removing Runtime Monitoring from an Amazon ECS cluster](ecs-guard-duty-remove-manual.md).
# Runtime Monitoring Troubleshooting
You might need to troubleshoot or verify that Runtime Monitoring is enabled and running on your tasks and containers.
**Topics**
+ [How can I tell if Runtime Monitoring is active on my account?](#verify-ecs-runtime-enabled)
+ [How can I tell if Runtime Monitoring is active on a cluster?](#verify-ecs-runtime-enabled)
+ [How can I tell if the GuardDuty security agent is running on a Fargate task?](#verify-ecs-runtime-fargate-run)
+ [How can I tell if the GuardDuty security agent is running on an EC2 container instance?](#verify-ecs-runtime-ec2-run)
+ [What happens when there is no task execution role for a task running on the cluster?](#no-task-execution-role)
+ [How can I tell if I have the correct permissions to tag clusters for Runtime Monitoring?](#tag-permissions)
+ [What happens when there is no connection Amazon ECR?](#no-ecr-connection)
+ [How do I address out of memory errors on my Fargate tasks after enabling Runtime Monitoring?](#memory-error)
## How can I tell if Runtime Monitoring is active on my account?
In the Amazon ECS console, the information is in on the **Account Settings** page.
You can also run `list-account-settings` with the `effective-settings` option.
```
aws ecs list-account-settings --effective-settings
```
Output
The setting with **name** set to `guardDutyActivate` and **value** set to `on` indicates that the account is configured. You must check with your GuardDuty administrator to see if the management is automatic or manual.
```
{
"setting": {
"name": "guardDutyActivate",
"value": "enabled",
"principalArn": "arn:aws:iam::123456789012:root",
"type": "aws-managed"
}
}
```
## How can I tell if Runtime Monitoring is active on a cluster?
You can review the coverage statistics in the GuardDuty console. This includes information for the Amazon ECS resources associated with your own account or your member accounts is the percentage of the healthy clusters over all the clusters in the selected AWS Region. This includes the coverage for clusters that use the Fargate and EC2s. For more information, see [Reviewing coverage statistics](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-assess-coverage-ecs.html#ecs-review-coverage-statistics-ecs-runtime-monitoring) in the *Amazon GuardDuty User Guide*.
## How can I tell if the GuardDuty security agent is running on a Fargate task?
The GuardDuty security agent runs as a sidecar container for Fargate tasks.
In the Amazon ECS console, the sidecar is displayed under **Containers** on the **Task details** page.
You can run `describe-tasks` and look for the container with a **name** set to `aws-gd-agent` and the **lastStatus** set to `RUNNING`.
The following example shows the output for the default cluster for task `aws:ecs:us-east-1:123456789012:task/0b69d5c0-d655-4695-98cd-5d2d5EXAMPLE`.
```
aws ecs describe-tasks --cluster default --tasks aws:ecs:us-east-1:123456789012:task/0b69d5c0-d655-4695-98cd-5d2d5EXAMPLE
```
Output
The container named `gd-agent` is in the `RUNNING` state.
```
"containers": [
{
"containerArn": "arn:aws:ecs:us-east-1:123456789012:container/4df26bb4-f057-467b-a079-96167EXAMPLE",
"taskArn": "arn:aws:ecs:us-east-1:123456789012:task/0b69d5c0-d655-4695-98cd-5d2d5EXAMPLE",
"lastStatus": "RUNNING",
"healthStatus": "UNKNOWN",
"memory": "string",
"name": "aws-gd-agent"
}
]
```
## How can I tell if the GuardDuty security agent is running on an EC2 container instance?
Run the following command to view the status:
```
sudo systemctl status amazon-guardduty-agent
```
The log file is in the following location:
```
/var/log/amzn-guardduty-agent
```
## What happens when there is no task execution role for a task running on the cluster?
For Fargate tasks, the task starts without the GuardDuty security agent sidecar container. The GuardDuty dashboard will show that the task is missing protection in the coverage statistics dashboard.
## How can I tell if I have the correct permissions to tag clusters for Runtime Monitoring?
In order to tag a cluster, you must have the `ecs:TagResource` action for both `CreateCluster` and `UpdateCluster`.
The following is a snippet of an example policy.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:CreateAction" : "CreateCluster",
"ecs:CreateAction" : "UpdateCluster",
}
}
}
]
}
```
## What happens when there is no connection Amazon ECR?
For Fargate tasks, the task starts without the GuardDuty security agent sidecar container. The GuardDuty dashboard will show that the task is missing protection in the coverage statistics dashboard.
## How do I address out of memory errors on my Fargate tasks after enabling Runtime Monitoring?
The GuardDuty security agent is a lightweight process. However, the process still consumes resources according to the size of the workload. We recommend using container resource tracking tooling, such as Amazon CloudWatch Container Insights to stage GuardDuty deployments in your cluster. These tools help you to discover the consumption profile of the GuardDuty security agent for your applications. You can then adjust your Fargate task size, if required, to avoid potential out of memory conditions.