EC2 GuardDuty Runtime monitor what type of findings should we expect?



We have recently been testing the preview of EC2 runtime monitoring for GuardDuty. We downloaded software (metasploit) and ran some exploits tests that we figured should cause the ec2 runtime monitor to trip and report findings but it did not. I do see that the agent is running and the isntance in question is listed the ec2 instance runtime coverage. I feel like we should expect to see results but we are not. Any and all information would be great.

Best regards, -Dave

asked 2 months ago101 views
2 Answers

Hi Dave, you can find the full list of runtime finding types in this section of the GuardDuty documentation.

answered 2 months ago
  • Hi Trevor,

    Thank you for the link. The docs read "Amazon GuardDuty generates the following Runtime Monitoring findings to indicate potential threats based on the operating system-level behavior from EC2 hosts and containers in your Amazon EKS clusters." this is not for an EKS cluster. This is for the runtime findings for just ec2 instances. Does that mean this is the same?

    Thanks again! Dave

  • Yes that's correct. You can read that as "[...] based on the operating system-level behaviour from EC2 hosts and [also based on] containers in your Amazon EKS clusters." You can find further details on the specific types of runtime monitoring options and how they work in this part of the docs:

    EKS also happens to have another type of monitoring for the audit logs which is the different one.


Important point need to consider for this testing.

  1. During the preview of Amazon EC2 instance support, you must manage the GuardDuty security agent manually, which requires you to create an Amazon Virtual Private Cloud (Amazon VPC) endpoint.- Make sure you have followed thsi process correctly-
  2. Please go with this list and try to exploit some specific test from the given findings types for EC2. This is the supported list of all of the active finding types sorted by the foundational data source or feature, as applicable.
  3. It is important to understand the data source which Guardduty monitor to find these threats. You don't need to explicitly enable these data sources . It will get enabled automatically when you enable the Guardduty. For example : VPC flow logs in case of EC2.

Please let me know if this helps .

Note: It is recommended to do these types of exploits within a highly restricted isolated environment/account to avoid any impact on your running prod/dev workloads.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions