Profile Applicability:

  • Level 1

Description:

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in AWS accounts. GuardDuty EKS Runtime Monitoring helps identify and respond to security threats within your Amazon EKS (Elastic Kubernetes Service) clusters. When enabled, this feature ensures that GuardDuty continuously analyzes and monitors runtime activity within your Kubernetes clusters, detecting anomalous behavior, privilege escalation attempts, and other security risks. This SOP ensures that GuardDuty EKS Runtime Monitoring is enabled to protect your Amazon EKS clusters from security threats.

Rationale:

  • Threat Detection: EKS clusters often host critical workloads and sensitive data. Enabling GuardDuty runtime monitoring ensures continuous threat detection for suspicious activities within the Kubernetes runtime environment.

  • Security Monitoring: By enabling this feature, you get enhanced visibility into potential attacks, such as privilege escalation, containers running malicious code, or other malicious activity within the EKS cluster.

  • Compliance: Many industry standards and compliance frameworks (such as SOC 2, PCI-DSS, HIPAA) require continuous monitoring of runtime activities for identifying and mitigating security risks.

Impact:

Pros:

  • Improved Security: GuardDuty will be able to detect and alert on suspicious activity, helping prevent security breaches or exploitation of vulnerabilities in real-time.

  • Enhanced Incident Response: Alerts generated by GuardDuty can be integrated into your incident response workflow, enabling faster and more effective responses to security incidents.

  • Compliance: Enables organizations to meet regulatory requirements for continuous security monitoring of workloads within Kubernetes clusters.

Cons:

  • Potential Costs: Enabling runtime monitoring will generate GuardDuty findings and may increase the cost of GuardDuty depending on the volume of data being analyzed.

  • Resource Consumption: Runtime monitoring may add a slight overhead in terms of processing, but the benefits of enhanced security outweigh the minimal impact on performance.

Default Value:

By default, GuardDuty EKS Runtime Monitoring is disabled and must be explicitly enabled to start monitoring Kubernetes clusters in real-time.

Pre-requisite:

  • AWS IAM Permissions:

    • guardduty:CreateDetector

    • guardduty:UpdateDetector

    • guardduty:DescribeDetector

    • eks:DescribeCluster

  • AWS CLI installed and configured.

  • Amazon EKS cluster must be created and active.

  • GuardDuty service must be enabled in the account.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to GuardDuty under Security, Identity & Compliance.

  3. In the GuardDuty Console, select Settings from the navigation pane.

  4. Under EKS Runtime Monitoring, check if the setting is enabled.

    • If enabled, the status will be set to "Enabled".

    • If disabled, you need to enable it.

Using AWS CLI:

To check if GuardDuty EKS Runtime Monitoring is enabled for the current region, run:

aws guardduty get-detector --detector-id <detector-id> --query "Detector.EksConfiguration"

The output will show if EKS Runtime Monitoring is enabled ("EksConfiguration": {"Monitoring": "enabled"}).

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to GuardDuty.

  2. In the GuardDuty Console, go to Settings.

  3. Under EKS Runtime Monitoring, choose Enable.

  4. Save the settings to start monitoring your EKS clusters.

Using AWS CLI:

To enable GuardDuty EKS Runtime Monitoring, run:

aws guardduty update-detector \

  --detector-id <detector-id> \

  --eks-configuration Monitoring=enabled

Verify that runtime monitoring has been enabled by running:

aws guardduty get-detector --detector-id <detector-id> --query "Detector.EksConfiguration"

Backout Plan:

If enabling EKS Runtime Monitoring causes issues (e.g., false positives or performance impact):

Identify the affected GuardDuty detector.

Revert the changes by disabling runtime monitoring:

aws guardduty update-detector \

  --detector-id <detector-id> \

  --eks-configuration Monitoring=disabled

Monitor GuardDuty and ensure that there are no additional security concerns after reverting the changes.

Note :

  • Integration with CloudWatch: You can integrate GuardDuty findings with Amazon CloudWatch to automate security workflows (e.g., triggering Lambda functions or sending notifications to Slack or email).

  • Cost Management: Ensure that you’re monitoring GuardDuty findings closely to manage potential costs associated with high volumes of findings.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.