|
Since Amazon GuardDuty launched in 2017, GuardDuty has been able to analyzing tens of billions of occasions per minute throughout a number of AWS information sources, similar to AWS CloudTrail occasion logs, Amazon Digital Non-public Cloud (Amazon VPC) Circulate Logs, and DNS question logs, Amazon Easy Storage Service (Amazon S3) information aircraft occasions, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon Relational Database Service (Amazon RDS) login occasions to guard your AWS accounts and sources.
In 2020, GuardDuty added Amazon S3 safety to constantly monitor and profile S3 information entry occasions and configurations to detect suspicious actions in Amazon S3. Final yr, GuardDuty launched Amazon EKS safety to watch management aircraft exercise by analyzing Kubernetes audit logs from current and new EKS clusters in your accounts, Amazon EBS malware safety to scan malicious information residing on an EC2 occasion or container workload utilizing EBS volumes, and Amazon RDS safety to determine potential threats to information saved in Amazon Aurora databases—not too long ago typically obtainable.
GuardDuty combines machine studying (ML), anomaly detection, community monitoring, and malicious file discovery utilizing numerous AWS information sources. When threats are detected, GuardDuty robotically sends safety findings to AWS Safety Hub, Amazon EventBridge, and Amazon Detective. These integrations assist centralize monitoring for AWS and associate companies, automate responses to malware findings, and carry out safety investigations from GuardDuty.
In the present day, we’re asserting the final availability of Amazon GuardDuty EKS Runtime Monitoring to detect runtime threats from over 30 safety findings to guard your EKS clusters. The brand new EKS Runtime Monitoring makes use of a totally managed EKS add-on that provides visibility into particular person container runtime actions, similar to file entry, course of execution, and community connections.
GuardDuty can now determine particular containers inside your EKS clusters which might be probably compromised and detect makes an attempt to escalate privileges from a person container to the underlying Amazon EC2 host and the broader AWS setting. GuardDuty EKS Runtime Monitoring findings present metadata context to determine potential threats and comprise them earlier than they escalate.
Configure EKS Runtime Monitoring in GuardDuty
To get began, first allow EKS Runtime Monitoring with only a few clicks within the GuardDuty console.
When you allow EKS Runtime Monitoring, GuardDuty can begin monitoring and analyzing the runtime-activity occasions for all the present and new EKS clusters on your accounts. If you’d like GuardDuty to deploy and replace the required EKS-managed add-on for all the present and new EKS clusters in your account, select Handle agent robotically. This may even create a VPC endpoint via which the safety agent delivers the runtime occasions to GuardDuty.
Should you configure EKS Audit Log Monitoring and runtime monitoring collectively, you may obtain optimum EKS safety each on the cluster management aircraft stage, and right down to the person pod or container working system stage. When used collectively, risk detection shall be extra contextual to permit fast prioritization and response. For instance, a runtime-based detection on a pod exhibiting suspicious habits could be augmented by an audit log-based detection, indicating the pod was unusually launched with elevated privileges.
These choices are default, however they’re configurable, and you may uncheck one of many containers in an effort to disable EKS Runtime Monitoring. Once you disable EKS Runtime Monitoring, GuardDuty instantly stops monitoring and analyzing the runtime-activity occasions for all the present EKS clusters. Should you had configured automated agent administration via GuardDuty, this motion additionally removes the safety agent that GuardDuty had deployed.
To be taught extra, see Configuring EKS Runtime Monitoring within the AWS documentation.
Handle GuardDuty Agent Manually
If you wish to manually deploy and replace the EKS managed add-on, together with the GuardDuty agent, per cluster in your account, uncheck Handle agent robotically within the EKS safety configuration.
When managing the add-on manually, you’re additionally answerable for creating the VPC endpoint via which the safety agent delivers the runtime occasions to GuardDuty. Within the VPC endpoint console, select Create endpoint. Within the step, select Different endpoint companies for Service class, enter com.amazonaws.us-east-1.guardduty-data for Service title within the US East (N. Virginia) Area, and select Confirm service.
After the service title is efficiently verified, select VPC and subnets the place your EKS cluster resides. Below Further settings, select Allow DNS title. Below Safety teams, select a safety group that has the in-bound port 443 enabled out of your VPC (or your EKS cluster).
Add the next coverage to limit VPC endpoint utilization to the desired account solely:
{
"Model": "2012-10-17",
"Assertion": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
},
{
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "123456789012"
}
},
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Principal": "*"
}
]
}Now, you may set up the Amazon GuardDuty EKS Runtime Monitoring add-on on your EKS clusters. Choose this add-on within the Add-ons tab in your EKS cluster profile on the Amazon EKS console.
Once you allow EKS Runtime Monitoring in GuardDuty and deploy the Amazon EKS add-on on your EKS cluster, you may view the brand new pods with the prefix aws-guardduty-agent. GuardDuty now begins to eat runtime-activity occasions from all EC2 hosts and containers within the cluster. GuardDuty then analyzes these occasions for potential threats.
These pods acquire numerous occasion sorts and ship them to the GuardDuty backend for risk detection and evaluation. When managing the add-on manually, it’s good to undergo these steps for every EKS cluster that you just need to monitor, together with new EKS clusters.
To be taught extra, see Managing GuardDuty agent manually within the AWS documentation.
Checkout EKS Runtime Safety Findings
When GuardDuty detects a possible risk and generates a safety discovering, you may view the main points of the corresponding findings. These safety findings point out both a compromised EC2 occasion, container workload, an EKS cluster, or a set of compromised credentials in your AWS setting.
If you wish to generate EKS Runtime Monitoring pattern findings for testing functions, see Producing pattern findings in GuardDuty within the AWS documentation. Right here is an instance of potential safety points: a newly created or not too long ago modified binary file in an EKS cluster has been executed.
The ResourceType for an EKS Safety discovering sort might be an Occasion, EKSCluster, or Container. If the Useful resource sort within the discovering particulars is EKSCluster, it signifies that both a pod or a container inside an EKS cluster is probably compromised. Relying on the possibly compromised useful resource sort, the discovering particulars might comprise Kubernetes workload particulars, EKS cluster particulars, or occasion particulars.
The Runtime particulars similar to course of particulars and any required context describe details about the noticed course of, and the runtime context describes any extra details about the possibly suspicious exercise.
To remediate a compromised pod or container picture, see Remediating EKS Runtime Monitoring findings within the AWS documentation. This doc describes the really useful remediation steps for every useful resource sort. To be taught extra about safety discovering sorts, see GuardDuty EKS Runtime Monitoring discovering sorts within the AWS documentation.
Now Accessible
Now you can use Amazon GuardDuty for EKS Runtime Monitoring. For a full listing of Areas the place EKS Runtime Monitoring is obtainable, go to region-specific characteristic availability.
The primary 30 days of GuardDuty for EKS Runtime Monitoring can be found at no extra cost for current GuardDuty accounts. Should you enabled GuardDuty for the primary time, EKS Runtime Monitoring isn’t enabled by default, and must be enabled as described above. After the trial interval ends within the GuardDuty, you may see the estimated value of EKS Runtime Monitoring. To be taught extra, see the GuardDuty pricing web page.
For extra info, see the Amazon GuardDuty Consumer Information and ship suggestions to AWS re:Submit for Amazon GuardDuty or via your traditional AWS assist contacts.
– Channy
