Skip to content

Streamline GuardDuty Add-on Management for Amazon EKS Clusters

As the threat landscape for Kubernetes environments continues to evolve, it is essential to take steps to continuously monitor your clusters for malicious activity. As part of security best practices for EKS, it is critical for organizations to implement a solution for continuously monitoring EKS runtimes, analyzing EKS audit logs, scanning for malware and other suspicious activity. Guardduty uses continuously updated threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues like escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, presence of malware on your Amazon EC2 instances and EKS container workloads, or discovery of suspicious API activity.

GuardDuty provides an EKS managed add-on that helps you detect and respond to threats by continuously monitoring your EKS clusters. With Rafay Platform, you can easily configure and manage GuardDuty for your EKS clusters, and monitor its findings from the AWS Console.

The Rafay Platform streamlines management of GuardDuty for EKS clusters managed by the platform. With just a few clicks in the console (or the API, CLI, GitOps or Rafay's Terraform Provider), you can now configure GuardDuty and start monitoring your EKS clusters for security threats.

  participant User
  participant Rafay
  participant Amazon EKS

  User->>Rafay: Request to Enable or Upgrade GuardDuty Add-on
  Rafay->>Amazon EKS: Configure GuardDuty Add-on
  Amazon EKS-->>Rafay: Configuration Response
  Rafay-->>User: Acknowledge Configuration

Rafay Platform: Add-On Configuration

To set up the EKS managed add-on on your new EKS cluster

  • Click Managed Addons and Select GuardDuty addon and for existing clusters, navigate to the configuration tab.
  • Click on "Add EKS Managed Addon," choose the addon and its version from the dropdown menu, then click "Save."

The process will automatically utilize the inherited role attached to the node if you do not provide any role ARN as input.


Validate the AWS GuardDuty Agent

Addon Validate

Review GuardDuty Audit Logs in the AWS Console

One-time configuration in AWS


GuardDuty monitoring configuration and logs are set at the AWS account level and come with associated cost, Therefore, we leave it to the user and do not enable them as part of the add-on configuration and it is a one-time configuration. To enable GuardDuty monitoring for EKS clusters, users must manually navigate to the GuardDuty service in the AWS Console and enable the following configuration under EKS Protection


Status of EKS Runtime Monitoring

Monitor and analyze GuardDuty audit logs directly from the AWS Console

Addon Health

Review Findings



The Rafay Platform eliminates the need to manually configure the GuardDuty add-on by supporting lifecycle operations for it via Infrastructure as Code or declaratively. You only need to provide a single input, and the platform will automatically add or upgrade the add-on. In addition to saving users significant amount of time and effort, this also provides organizations the means to ensure and check that all EKS clusters in their accounts have a baseline security posture with GuardDuty for EKS.

- name: aws-guardduty-agent
  version: v1.2.0-eksbuild.3

If you want to try this out yourself, sign up for a Free Rafay Org and check out our documentation.