Description

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. EKS Runtime Monitoring in GuardDuty enhances the ability to detect runtime threats directly from the Amazon Elastic Kubernetes Service (EKS) environment.

With EKS Runtime Monitoring enabled, GuardDuty can detect threats such as:

  • Unauthorized access to EKS containers.

  • Privilege escalation attempts.

  • Suspicious API calls within the cluster.

  • Malware detection within the container environment.

Enabling EKS Runtime Monitoring ensures deep visibility into container-level activities and provides advanced threat detection capabilities within EKS clusters.

Rationale

Containers in Kubernetes environments, especially on EKS, are common targets for security breaches, including privilege escalation, data exfiltration, and container breakout attempts. Enabling GuardDuty EKS Runtime Monitoring allows organizations to:

  • Detect threats within the container environment in real time.

  • Improve security posture by identifying suspicious runtime behaviors.

  • Ensure compliance with security standards that require runtime threat detection.

Impact

  • Pros:

    • Enhanced security for EKS workloads.

    • Real-time threat detection and incident response.

    • Seamless integration with existing GuardDuty alerts.

  • Cons:

    • Additional GuardDuty costs for EKS Runtime Monitoring.

    • Potential performance overhead from the monitoring agent.

Default Value

  • EKS Runtime Monitoring is disabled by default in GuardDuty and must be manually enabled per AWS account and region.

Pre-Requisite

  • AWS IAM permissions:

    • guardduty:UpdateDetector

    • guardduty:GetDetector

    • guardduty:CreateDetector

    • guardduty:ListDetectors

    • guardduty:DescribeOrganizationConfiguration

    • guardduty:UpdateOrganizationConfiguration

  • Amazon GuardDuty must be enabled in the account.

  • EKS clusters must be provisioned and running.

Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon GuardDuty.

         

  1. In the left navigation pane, select Detectors.

  2. Choose the active Detector for the current AWS region.

         

  1. Under Runtime Monitoring, check the EKS Runtime Monitoring status.

    • Pass: If the status is Enabled.

    • Fail: If the status is Disabled.

             

Using AWS CLI:

List GuardDuty Detectors:

aws guardduty list-detectors --region <region>

  1. Note the Detector ID from the output.

Check EKS Runtime Monitoring Status:

aws guardduty get-detector --detector-id <detector-id> --region <region> --query 'DataSources.Kubernetes.AuditLogs.Status'

  • Pass: If the status is ENABLED.

  • Fail: If the status is DISABLED.

Implementation Steps

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open Amazon GuardDuty.

     

  1. Select Detectors → Choose the Detector ID for your region.

     

  1. In the left menu, select Runtime Monitoring.

     

  1. Enable EKS Runtime Monitoring:

    • Toggle the switch to Enable.

    • Confirm the enabling of runtime monitoring for EKS.

  1. Save Changes.

Using AWS CLI:

List Detectors:

aws guardduty list-detectors --region <region>

Enable EKS Runtime Monitoring:

aws guardduty update-detector \

  --detector-id <detector-id> \

  --enable-kubernetes-audit-logs \

  --region <region>

Backout Plan:

If enabling EKS Runtime Monitoring results in unexpected costs or operational issues, it can be disabled:

  1. Go to Amazon GuardDuty in the AWS Console.

  2. Navigate to Detectors → Runtime Monitoring.

  3. Toggle EKS Runtime Monitoring to Disabled.

  4. Save Changes.

References:

  1. Amazon GuardDuty Documentation

  2. EKS Runtime Monitoring in GuardDuty

  3. AWS CLI GuardDuty Commands