GuardDuty EKS Runtime Monitoring Should Be Enabled

Overview

This check verifies that Amazon GuardDuty has EKS Runtime Monitoring enabled with automated agent management. EKS Runtime Monitoring provides visibility into process, file, and network activity on your EKS nodes and containers, helping detect threats at the container runtime level.

Risk

Without EKS Runtime Monitoring, your Amazon EKS clusters lack visibility for threat detection. Attackers could:

• Deploy malware or cryptominers in your containers
• Extract secrets through compromised pods
• Modify workloads without detection
• Access other AWS services using stolen credentials

This can compromise confidentiality, integrity, and resource availability across your EKS environment.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify GuardDuty settings
• GuardDuty must already be enabled in your account (EKS Runtime Monitoring is a feature of GuardDuty)
• An existing EKS cluster to protect

AWS Console Method

1. Open the Amazon GuardDuty console
2. In the left navigation pane, choose Settings
3. Select Runtime Monitoring (or EKS Protection in older console versions)
4. Toggle EKS Runtime Monitoring to Enabled
5. Enable Automated agent management to let GuardDuty automatically deploy the security agent to your EKS clusters
6. Choose Save

For multi-account environments using AWS Organizations:

1. Sign in as the delegated GuardDuty administrator
2. Go to Settings > Accounts
3. Select all member accounts
4. Choose Actions > Enable Runtime Monitoring
5. Confirm to enable across all selected accounts

AWS CLI (optional)

Step 1: Find your GuardDuty detector ID

aws guardduty list-detectors --region us-east-1

This returns your detector ID (a 32-character string).

Step 2: Enable EKS Runtime Monitoring with automated agent management

aws guardduty update-detector \
  --detector-id <your-detector-id> \
  --region us-east-1 \
  --features '[{
    "Name": "EKS_RUNTIME_MONITORING",
    "Status": "ENABLED",
    "AdditionalConfiguration": [{
      "Name": "EKS_ADDON_MANAGEMENT",
      "Status": "ENABLED"
    }]
  }]'

Replace <your-detector-id> with the detector ID from Step 1.

Note on EKS_RUNTIME_MONITORING vs RUNTIME_MONITORING: AWS now offers a broader RUNTIME_MONITORING feature that includes EKS, ECS Fargate, and EC2. If you want protection across all runtime environments, use RUNTIME_MONITORING instead. You cannot enable both simultaneously.

For organization-wide deployment (run as delegated administrator):

aws guardduty update-organization-configuration \
  --detector-id <your-detector-id> \
  --region us-east-1 \
  --auto-enable-organization-members ALL \
  --features '[{
    "Name": "EKS_RUNTIME_MONITORING",
    "AutoEnable": "ALL",
    "AdditionalConfiguration": [{
      "Name": "EKS_ADDON_MANAGEMENT",
      "AutoEnable": "ALL"
    }]
  }]'

CloudFormation (optional)

CloudFormation can create a new GuardDuty detector with EKS Runtime Monitoring enabled. Note that each AWS account can only have one detector per region, so this template works best for new accounts or regions.

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty with EKS Runtime Monitoring and automated agent management

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      Features:
        - Name: EKS_RUNTIME_MONITORING
          Status: ENABLED
          AdditionalConfiguration:
            - Name: EKS_ADDON_MANAGEMENT
              Status: ENABLED

Outputs:
  DetectorId:
    Description: The GuardDuty Detector ID
    Value: !Ref GuardDutyDetector

To deploy:

aws cloudformation deploy \
  --template-file guardduty-eks-runtime.yaml \
  --stack-name guardduty-eks-runtime-monitoring \
  --region us-east-1

Important: If you already have a GuardDuty detector, the stack will fail. Use the AWS CLI method above to update an existing detector.

Terraform (optional)

This configuration enables EKS Runtime Monitoring on an existing GuardDuty detector:

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# Data source to get existing GuardDuty detector
data "aws_guardduty_detector" "existing" {}

# Enable EKS Runtime Monitoring on existing detector
resource "aws_guardduty_detector_feature" "eks_runtime_monitoring" {
  detector_id = data.aws_guardduty_detector.existing.id
  name        = "EKS_RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }
}

To deploy:

terraform init
terraform plan
terraform apply

Creating a new detector with EKS Runtime Monitoring:

resource "aws_guardduty_detector" "main" {
  enable = true
}

resource "aws_guardduty_detector_feature" "eks_runtime_monitoring" {
  detector_id = aws_guardduty_detector.main.id
  name        = "EKS_RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }
}

Verification

After enabling EKS Runtime Monitoring, verify it is active:

1. In the GuardDuty console, go to Settings > Runtime Monitoring
2. Confirm that EKS Runtime Monitoring shows as Enabled
3. Check that Automated agent management is also enabled
4. Navigate to Runtime coverage to see which EKS clusters have the security agent deployed

CLI verification

aws guardduty get-detector \
  --detector-id <your-detector-id> \
  --region us-east-1 \
  --query 'Features[?Name==`EKS_RUNTIME_MONITORING`]'

Expected output:

[
    {
        "Name": "EKS_RUNTIME_MONITORING",
        "Status": "ENABLED",
        "AdditionalConfiguration": [
            {
                "Name": "EKS_ADDON_MANAGEMENT",
                "Status": "ENABLED"
            }
        ]
    }
]

To check runtime coverage for your EKS clusters:

aws guardduty list-coverage \
  --detector-id <your-detector-id> \
  --region us-east-1

Additional Resources

• GuardDuty Runtime Monitoring Configuration
• GuardDuty EKS Protection
• Security Hub GuardDuty Controls
• Prowler Check Documentation

Notes

• Agent deployment: With automated agent management enabled, GuardDuty installs a security agent as an EKS add-on. This add-on consumes resources on your cluster nodes.

• Cost considerations: EKS Runtime Monitoring incurs additional GuardDuty charges based on the number of vCPUs in your monitored EKS clusters. Review GuardDuty pricing before enabling.

• Runtime Monitoring vs EKS Runtime Monitoring: AWS offers a broader "Runtime Monitoring" feature that covers EKS, ECS Fargate, and EC2 instances. If you need protection across multiple compute platforms, consider enabling the full Runtime Monitoring feature instead. Note that you cannot enable both EKS_RUNTIME_MONITORING and RUNTIME_MONITORING simultaneously.

• Multi-account environments: In AWS Organizations, the delegated GuardDuty administrator must enable this feature for member accounts. Individual member accounts cannot override the administrator's settings.

• Compliance frameworks: This control maps to C5, KISA-ISMS-P, and NIS2 compliance frameworks.