Configuring EKS Runtime Monitoring for a standalone account (API)

A standalone account owns the decision to enable or disable a protection plan in their AWS account in a specific AWS Region.

If your account is associated with a GuardDuty administrator account through AWS Organizations, or by the method of invitation, this section doesn't apply to your account. For more information, see Configuring EKS Runtime Monitoring for multiple-account environments (API).

After you enable Runtime Monitoring, ensure to install GuardDuty security agent through automated configuration or manual deployment. As a part of completing all the steps listed in the following procedure, make sure to install the security agent.

Based on the Approaches to manage GuardDuty security agent in Amazon EKS clusters, you can choose a preferred approach and follow the steps as mentioned in the following table.

Preferred approach to manage GuardDuty security agent	Steps
Manage security agent through GuardDuty (Monitor all EKS clusters)	Run the updateDetector API by using your own regional detector ID and passing the `features` object name as `EKS_RUNTIME_MONITORING` and status as `ENABLED`. Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters in your account. Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: `aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'`
Monitor all EKS clusters but exclude some of them (using exclusion tag)	Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is `GuardDutyManaged`-`false`. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details: Replace `ec2:CreateTags` with `eks:TagResource`. Replace `ec2:DeleteTags` with `eks:UntagResource`. Replace `access-project` with `GuardDutyManaged` Replace `123456789012` with the AWS account ID of the trusted entity. When you have more than one trusted entities, use the following example to add multiple `PrincipalArn`: `"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]` Note Always add the exclusion tag to your EKS cluster before setting the `STATUS` of `EKS_RUNTIME_MONITORING` to `ENABLED`; otherwise, the GuardDuty security agent will be deployed on all the EKS clusters in your account. Run the updateDetector API by using your own regional detector ID and passing the `features` object name as `EKS_RUNTIME_MONITORING` and status as `ENABLED`. Set the status for `EKS_ADDON_MANAGEMENT` as `ENABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have not been excluded from being monitored. Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API. The following example enables both `EKS_RUNTIME_MONITORING` and `EKS_ADDON_MANAGEMENT`: `aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}] }]'`
Monitor selective EKS clusters (using inclusion tag)	Add a tag to the EKS cluster that you want to exclude from being monitored. The key-value pair is `GuardDutyManaged`-`true`. For more information about adding the tag, see Working with tags using the CLI, API, or eksctl in the Amazon EKS User Guide. To prevent modification of tags, except by the trusted entities, use the policy provided in Prevent tags from being modified except by authorized principals in the AWS Organizations User Guide. In this policy, replace the following details: Replace `ec2:CreateTags` with `eks:TagResource`. Replace `ec2:DeleteTags` with `eks:UntagResource`. Replace `access-project` with `GuardDutyManaged` Replace `123456789012` with the AWS account ID of the trusted entity. When you have more than one trusted entities, use the following example to add multiple `PrincipalArn`: `"aws:PrincipalArn":["arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin", "arn:aws:iam::123456789012:role/org-admins/iam-admin"]` Run the updateDetector API by using your own regional detector ID and passing the `features` object name as `EKS_RUNTIME_MONITORING` and status as `ENABLED`. Set the status for `EKS_ADDON_MANAGEMENT` as `DISABLED`. GuardDuty will manage the deployment of and updates to the security agent for all the Amazon EKS clusters that have been tagged with the `GuardDutyManaged`-`true` pair. Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API. The following example enables `EKS_RUNTIME_MONITORING` and disables `EKS_ADDON_MANAGEMENT`: `aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] }]'`
Manage the security agent manually	Run the updateDetector API by using your own regional detector ID and passing the `features` object name as `EKS_RUNTIME_MONITORING` and status as `ENABLED`. Set the status for `EKS_ADDON_MANAGEMENT` as `DISABLED`. Alternatively, you can use the AWS CLI command by using your own regional detector ID. To find the `detectorId` for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API. The following example enables `EKS_RUNTIME_MONITORING` and disables `EKS_ADDON_MANAGEMENT`: `aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] }]'` To manage the security agent, see Managing security agent manually for Amazon EKS cluster.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configuring EKS Runtime Monitoring for multiple-account environments (API)

Migrating from EKS Runtime Monitoring to Runtime Monitoring

Configuring EKS Runtime Monitoring for a standalone account (API)

Note