Amazon GuardDuty is a security monitoring service using machine learning to detect threats in AWS accounts and workloads. A key feature is Runtime Monitoring, which analyzes file, network, and OS events to identify potential threats. This feature has been expanded to include Amazon EKS, ECS, and AWS Fargate resources. The newly announced GuardDuty EC2 Runtime Monitoring provides threat detection for EC2 instances by monitoring VPC flow logs, DNS query logs, and CloudTrail events. This gives visibility into OS-level activities and container context for detected threats. Threats to EC2 workloads, such as remote code execution and malware downloads, can be identified and responded to. Runtime Monitoring also covers commands involving malicious file downloads and execution, helping to detect threats early.
To configure EC2 Runtime Monitoring, users can enable it on the GuardDuty Console. A 30-day free trial is available for new customers, allowing access to all features. The security agent can be deployed automatically or manually to monitor EC2 instances. Automated agent configuration is the preferred option, as it simplifies agent management. Runtime Monitoring can be enabled for multiple accounts using AWS Organizations. GuardDuty provides threat detection even when runtime coverage is unavailable, monitoring CloudTrail, VPC flow, and DNS records.
When GuardDuty detects a potential threat, users can view detailed security findings, including recommendations and severity levels. Over 30 security findings are supported for EC2 instances, such as detecting backdoors, unauthorized communications, and cryptocurrency-related activity. Users can resolve security findings by investigating the resource and taking appropriate actions. GuardDuty EC2 Runtime Monitoring can be integrated with other AWS security services and event management systems for automated responses.
The feature supports running EC2 instances using Amazon Linux 2 or later, allowing users to configure resource limits for the agent. The cost of GuardDuty can be estimated using the pricing page, with monitoring agents billed based on vCPU hours. Enabling EC2 Runtime Monitoring can lead to cost savings, as critical protection VPC flow logs are no longer charged when the feature is active.
GuardDuty EC2 Runtime Monitoring is available in all AWS Regions where GuardDuty is offered, excluding certain specialized regions. Users can try the feature on the GuardDuty Console and provide feedback to AWS for further improvements.
Article Source
https://aws.amazon.com/blogs/aws/amazon-guardduty-ec2-runtime-monitoring-is-now-generally-available/