Streamline GuardDuty Add-on Management for Amazon EKS Clusters¶
As the threat landscape for Kubernetes environments continues to evolve, it is essential to take steps to continuously monitor your clusters for malicious activity. As part of security best practices for EKS, it is critical for organizations to implement a solution for continuously monitoring EKS runtimes, analyzing EKS audit logs, scanning for malware and other suspicious activity. Guardduty uses continuously updated threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues like escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, presence of malware on your Amazon EC2 instances and EKS container workloads, or discovery of suspicious API activity.
GuardDuty provides an EKS managed add-on that helps you detect and respond to threats by continuously monitoring your EKS clusters. With Rafay Platform, you can easily configure and manage GuardDuty for your EKS clusters, and monitor its findings from the AWS Console.
The Rafay Platform streamlines management of GuardDuty for EKS clusters managed by the platform. With just a few clicks in the console (or the API, CLI, GitOps or Rafay's Terraform Provider), you can now configure GuardDuty and start monitoring your EKS clusters for security threats.
sequenceDiagram participant User participant Rafay participant Amazon EKS User->>Rafay: Request to Enable or Upgrade GuardDuty Add-on Rafay->>Amazon EKS: Configure GuardDuty Add-on Amazon EKS-->>Rafay: Configuration Response Rafay-->>User: Acknowledge Configuration
Rafay Platform: Add-On Configuration¶
To set up the EKS managed add-on on your new EKS cluster
- Click Managed Addons and Select GuardDuty addon and for existing clusters, navigate to the configuration tab.
- Click on "Add EKS Managed Addon," choose the addon and its version from the dropdown menu, then click "Save."
The process will automatically utilize the inherited role attached to the node if you do not provide any role ARN as input.
Validate the AWS GuardDuty Agent
Review GuardDuty Audit Logs in the AWS Console¶
One-time configuration in AWS
GuardDuty monitoring configuration and logs are set at the AWS account level and come with associated cost, Therefore, we leave it to the user and do not enable them as part of the add-on configuration and it is a one-time configuration. To enable GuardDuty monitoring for EKS clusters, users must manually navigate to the GuardDuty service in the AWS Console and enable the following configuration under EKS Protection
Status of EKS Runtime Monitoring
Monitor and analyze GuardDuty audit logs directly from the AWS Console
The Rafay Platform eliminates the need to manually configure the GuardDuty add-on by supporting lifecycle operations for it via Infrastructure as Code or declaratively. You only need to provide a single input, and the platform will automatically add or upgrade the add-on. In addition to saving users significant amount of time and effort, this also provides organizations the means to ensure and check that all EKS clusters in their accounts have a baseline security posture with GuardDuty for EKS.
addons: - name: aws-guardduty-agent version: v1.2.0-eksbuild.3