|
Since Amazon GuardDuty launched in 2017, GuardDuty has been able to analyzing tens of billions of occasions per minute throughout a number of AWS knowledge sources, equivalent to AWS CloudPath occasion logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, and DNS question logs, Amazon Simple Storage Service (Amazon S3) knowledge aircraft occasions, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon Relational Database Service (Amazon RDS) login occasions to guard your AWS accounts and sources.
In 2020, GuardDuty added Amazon S3 safety to repeatedly monitor and profile S3 knowledge entry occasions and configurations to detect suspicious actions in Amazon S3. Last 12 months, GuardDuty launched Amazon EKS safety to observe management aircraft exercise by analyzing Kubernetes audit logs from current and new EKS clusters in your accounts, Amazon EBS malware safety to scan malicious recordsdata residing on an EC2 occasion or container workload utilizing EBS volumes, and Amazon RDS safety to determine potential threats to knowledge saved in Amazon Aurora databases—just lately generally obtainable.
GuardDuty combines machine studying (ML), anomaly detection, community monitoring, and malicious file discovery utilizing numerous AWS knowledge sources. When threats are detected, GuardDuty robotically sends safety findings to AWS Security Hub, Amazon EventBridge, and Amazon Detective. These integrations assist centralize monitoring for AWS and companion companies, automate responses to malware findings, and carry out safety investigations from GuardDuty.
Today, we’re saying the overall availability of Amazon GuardDuty EKS Runtime Monitoring to detect runtime threats from over 30 safety findings to guard your EKS clusters. The new EKS Runtime Monitoring makes use of a totally managed EKS add-on that provides visibility into particular person container runtime actions, equivalent to file entry, course of execution, and community connections.
GuardDuty can now determine particular containers inside your EKS clusters which can be doubtlessly compromised and detect makes an attempt to escalate privileges from a person container to the underlying Amazon EC2 host and the broader AWS atmosphere. GuardDuty EKS Runtime Monitoring findings present metadata context to determine potential threats and include them earlier than they escalate.
Configure EKS Runtime Monitoring in GuardDuty
To get began, first allow EKS Runtime Monitoring with only a few clicks within the GuardDuty console.
Once you allow EKS Runtime Monitoring, GuardDuty can begin monitoring and analyzing the runtime-activity occasions for all the prevailing and new EKS clusters to your accounts. If you need GuardDuty to deploy and replace the required EKS-managed add-on for all the prevailing and new EKS clusters in your account, select Manage agent robotically. This may even create a VPC endpoint by way of which the safety agent delivers the runtime occasions to GuardDuty.
If you configure EKS Audit Log Monitoring and runtime monitoring collectively, you may obtain optimum EKS safety each on the cluster management aircraft stage, and right down to the person pod or container working system stage. When used collectively, risk detection will probably be extra contextual to permit fast prioritization and response. For instance, a runtime-based detection on a pod exhibiting suspicious conduct might be augmented by an audit log-based detection, indicating the pod was unusually launched with elevated privileges.
These choices are default, however they’re configurable, and you may uncheck one of many containers with a view to disable EKS Runtime Monitoring. When you disable EKS Runtime Monitoring, GuardDuty instantly stops monitoring and analyzing the runtime-activity occasions for all the prevailing EKS clusters. If you had configured automated agent administration by way of GuardDuty, this motion additionally removes the safety agent that GuardDuty had deployed.
To be taught extra, see Configuring EKS Runtime Monitoring within the AWS documentation.
Manage GuardDuty Agent Manually
If you wish to manually deploy and replace the EKS managed add-on, together with the GuardDuty agent, per cluster in your account, uncheck Manage agent robotically within the EKS safety configuration.
When managing the add-on manually, you might be additionally liable for creating the VPC endpoint by way of which the safety agent delivers the runtime occasions to GuardDuty. In the VPC endpoint console, select Create endpoint. In the step, select Other endpoint companies for Service class, enter com.amazonaws.us-east-1.guardduty-data for Service identify within the US East (N. Virginia) Region, and select Verify service.
After the service identify is efficiently verified, select VPC and subnets the place your EKS cluster resides. Under Additional settings, select Enable DNS identify. Under Security teams, select a safety group that has the in-bound port 443 enabled out of your VPC (or your EKS cluster).
Add the next coverage to limit VPC endpoint utilization to the required account solely:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
},
{
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "123456789012"
}
},
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Principal": "*"
}
]
}Now, you may set up the Amazon GuardDuty EKS Runtime Monitoring add-on to your EKS clusters. Select this add-on within the Add-ons tab in your EKS cluster profile on the Amazon EKS console.
When you allow EKS Runtime Monitoring in GuardDuty and deploy the Amazon EKS add-on to your EKS cluster, you may view the brand new pods with the prefix aws-guardduty-agent. GuardDuty now begins to devour runtime-activity occasions from all EC2 hosts and containers within the cluster. GuardDuty then analyzes these occasions for potential threats.
These pods acquire numerous occasion varieties and ship them to the GuardDuty backend for risk detection and evaluation. When managing the add-on manually, that you must undergo these steps for every EKS cluster that you just wish to monitor, together with new EKS clusters.
To be taught extra, see Managing GuardDuty agent manually within the AWS documentation.
Checkout EKS Runtime Security Findings
When GuardDuty detects a possible risk and generates a safety discovering, you may view the main points of the corresponding findings. These safety findings point out both a compromised EC2 occasion, container workload, an EKS cluster, or a set of compromised credentials in your AWS atmosphere.
If you wish to generate EKS Runtime Monitoring pattern findings for testing functions, see Generating pattern findings in GuardDuty within the AWS documentation. Here is an instance of potential safety points: a newly created or just lately modified binary file in an EKS cluster has been executed.
The ResourceKind for an EKS Protection discovering kind could possibly be an Instance, EKSCluster, or Container. If the Resource kind within the discovering particulars is EKSCluster, it signifies that both a pod or a container inside an EKS cluster is doubtlessly compromised. Depending on the doubtless compromised useful resource kind, the discovering particulars could include Kubernetes workload particulars, EKS cluster particulars, or occasion particulars.
The Runtime particulars equivalent to course of particulars and any required context describe details about the noticed course of, and the runtime context describes any further details about the doubtless suspicious exercise.
To remediate a compromised pod or container picture, see Remediating EKS Runtime Monitoring findings within the AWS documentation. This doc describes the really useful remediation steps for every useful resource kind. To be taught extra about safety discovering varieties, see GuardDuty EKS Runtime Monitoring discovering varieties within the AWS documentation.
Now Available
You can now use Amazon GuardDuty for EKS Runtime Monitoring. For a full record of Regions the place EKS Runtime Monitoring is obtainable, go to region-specific characteristic availability.
The first 30 days of GuardDuty for EKS Runtime Monitoring can be found at no further cost for current GuardDuty accounts. If you enabled GuardDuty for the primary time, EKS Runtime Monitoring just isn’t enabled by default, and must be enabled as described above. After the trial interval ends within the GuardDuty, you may see the estimated price of EKS Runtime Monitoring. To be taught extra, see the GuardDuty pricing web page.
For extra data, see the Amazon GuardDuty User Guide and ship suggestions to AWS re:Post for Amazon GuardDuty or by way of your traditional AWS assist contacts.
– Channy