Skip to main content

πŸ›‘οΈ AWS GuardDuty Detector Runtime Monitoring is not enabled🟒

  • Contextual name: πŸ›‘οΈ Detector Runtime Monitoring is not enabled🟒
  • ID: /ce/ca/aws/guardduty/detector-runtime-monitoring
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS GuardDuty Detectors that do not have Runtime Monitoring enabled.

Runtime Monitoring observes and analyzes operating system–level, networking, and file events to help detect potential security threats within your AWS workloads.

Rationale​

GuardDuty Runtime Monitoring provides visibility into the runtime behavior of your Amazon EC2, Amazon ECS, and Amazon EKS workloads. By analyzing host-level activity, GuardDuty can detect threats such as malware, credential compromise, and other malicious actions that may not be visible through network-based analysis alone.

Impact​

GuardDuty Runtime Monitoring pricing is based on the number and size of protected workloads, measured in virtual CPUs (vCPUs).

Audit​

This policy flags an AWS GuardDuty Detector as INCOMPLIANT if the RUNTIME_MONITORING Feature is set to DISABLED or EKS_RUNTIME_MONITORING is set to ENABLED.

GuardDuty recommends migrating from EKS Runtime Monitoring to Runtime Monitoring and using it to monitor your Amazon EKS clusters for improved threat detection and unified coverage.

Remediation​

Open File

Remediation​

Enable Runtime Monitoring​

For Multi-Account Environments​

In a multi-account environment, only the delegated GuardDuty administrator account can enable or disable Runtime Monitoring for member accounts. Member accounts cannot modify this configuration directly.

From Command Line​
aws guardduty update-member-detectors \
    --detector-id {{detector-id}} \
    --account-ids {{account-id1}} {{account-id2}} ...
    --region {{region}} \
    --features 'Name=RUNTIME_MONITORING,Status=ENABLED,AdditionalConfiguration=[{Name={{EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT}},Status=ENABLED}]' 'Name=EKS_RUNTIME_MONITORING,Status=DISABLED'

The delegated administrator account can also automatically enable Runtime Monitoring for all accounts.

aws guardduty update-organization-configuration \
    --detector-id {{detector-id}} \
    --features 'Name=RUNTIME_MONITORING,AutoEnable={{NEW | ALL}},AdditionalConfiguration=[{ Name={{EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT}},AutoEnable={{NEW | ALL}} }]' 'Name=EKS_RUNTIME_MONITORING,AutoEnable=NONE'

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled1no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.11] GuardDuty Runtime Monitoring should be enabled1no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled1no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection36no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.1813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data