logo
Explore Amazon GuardDuty ECS Runtime Monitoring

Explore Amazon GuardDuty ECS Runtime Monitoring

Explore Amazon GuardDuty ECS Runtime Monitoring

Published Jan 26, 2024
In the cloud, we need to do lots of scans for thousands of vulnerabilities and threats in lots of different services. Some of them are related to static code scanning, dynamic code scanning, supply chain attack protection, API testing, etc. In addition to these, runtime protection and detecting threats in real-time is a challenging but required process for us. It’s important to know what is happening in my environment now, whether these are required processes or whether someone is attacking me or not.
In re:Invent 2023, the AWS team announced Amazon GuardDuty ECS Runtime Monitoring to detect potential runtime security issues in Amazon ECS clusters for AWS Fargate and Amazon EC2. As you can guess, AWS Fargate operations for GuardDuty Runtime Monitoring are mostly handled by AWS (agent configurations are handled by AWS, enabling is our responsibility). For the EC2, we need to set up our monitoring environment.
In this blog, we’ll use and test Amazon GuardDuty ECS Runtime Monitoring for EC2. Let’s start together! 💫

It’s so easy to enable Runtime Monitoring on Amazon GuardDuty. But I just want to be sure it’s detecting my findings or not in runtime. To test this, I need an isolated AWS account and GuardDuty tester environment. For testing, I use this and build the environment with CloudFormation stacks. After building we have an ECS cluster with two EC2s: Linux and Windows Target, a red team server for attacking, and a bastion host to connect. This is the architecture in the GitHub link:
Amazon GuardDuty Tester Architecture
Amazon GuardDuty Tester Architecture

For our EC2 targets in ECS, we can install the agent manually, use it as AMI for future servers or we can use AWS Systems Manager Documents. I decided to install my Linux target in ECS (It seems like there is no Windows support for now.) We will use the manual installation for this blog, but if you want to use AWS Systems Manager you can see this:
 AWS Systems Manager Documents for Amazon GuardDuty Agent
AWS Systems Manager Documents for Amazon GuardDuty Agent
Before the installation, you need to do two things:
It’s important to know your servers. You need to read carefully the prerequisites for Amazon EC2 instance support from here. AWS recommends that you use the latest Amazon ECS-optimized AMIs (dated September 29, 2023 or later), or use Amazon ECS agent version v1.77.0.
You need to verify the GuardDuty security agent's RPM signature. You can follow this link to verify. It’s important to select the right region for the environment and add S3 access to your IAM role for EC2.
Amazon GuardDuty Agent Signature Verification
Amazon GuardDuty Agent Signature Verification
In the installation step, I encountered a kernel error, so I need to update it. Kernel updates can be critical for your environment, so I strongly recommended do this in your test environment.
Kernel Updates for Installing Amazon GuardDuty Agent
Kernel Updates for Installing Amazon GuardDuty Agent
After the kernel update, I need to reboot my server. You can use the uname -r command to check the version. After rebooting, I can successfully install the agent.
I’m checking the status of the agent. It seems fine.
Status of the Amazon GuardDuty Agent
Status of the Amazon GuardDuty Agent

This is a very easy step. You can enable it with only a click. If you are using EKS or Fargate, you can enable all of them. For me, runtime monitoring is enough.
Enabling GuardDuty ECS Runtime Monitoring
Enabling GuardDuty ECS Runtime Monitoring
After doing this, on the runtime coverage part, I’ve realized my coverage status is unhealthy and my agent does not report anything. So, what is happening here?😦
Amazon GuardDuty Agent Not Reporting Issue
Amazon GuardDuty Agent Not Reporting Issue

I forgot step 1 in this link, creating a VPC endpoint to communicate with the agent. You can follow all the steps in the link.
Creating VPC Endpoint Manually for Amazon GuardDuty ECS Runtime Monitoring
Creating VPC Endpoint Manually for Amazon GuardDuty ECS Runtime Monitoring
After creating and waiting a little, my agents are healthy and reporting! 🤭
Amazon GuardDuty Agent Healthy
Amazon GuardDuty Agent Healthy
For the ECS runtime coverage, I also see this:
ECS runtime coverage
ECS runtime coverage

With the script in the GitHub link, I can start the attack simulation successfully. After starting, I can get some findings on the Amazon GuardDuty console.
Example Findings on Amazon GuardDuty
Example Findings on Amazon GuardDuty
The last one is related to the ECS runtime monitoring and we got it 🤝! Others already exist in the GuardDuty findings with the old protection methods like malware protection, port scanning, etc. You can see all runtime findings from here. These are the details about the our finding:
ECS Runtime Monitoring Finding Details
ECS Runtime Monitoring Finding Details

 That’s all! Some useful links that I strongly recommend if you want to use this cool feature:
Thanks for reading! Stay safe in the cloud! 🌥