EC2 Runtime Monitoring

Amazon GuardDuty is a threat detection service that continuously monitors your AWS account and workloads for malicious activities, and deliver detailed security findings for visibility and Remediation. EC2 runtime monitoring expands threat detection coverage for EC2 instances at runtime and complement the anomaly detection that Amazon GuardDuty already provides by continuously monitoring VPC flow logs DNS logs and AWS cloud trail management events . This feature deepens threat detection coverage for Amazon Elastic Compute Cloud (EC2) instances, providing visibility into on-host operating system and container-level activities.

How EC2 Runtime Monitoring Works

This feature deepens threat detection coverage for Amazon Elastic Compute Cloud (EC2) instances, providing visibility into on-host operating system and container-level activities. You can gain insights into on-host operating system and container-level activities, enhancing your ability to detect threats targeting your EC2 instances.

EC2 Runtime Monitoring builds on the runtime coverage already available for Amazon Elastic Kubernetes Service (EKS) and Amazon Elastic Container Service (ECS) on AWS Fargate, providing comprehensive runtime visibility and detection across popular AWS compute services.

Enabling EC2 Runtime Monitoring

To enable EC2 Runtime Monitoring, you need to first enable GuardDuty in your AWS account or AWS Organization. GuardDuty offers a 30-day free trial per account per region for first-time users.

Watch Video for step by step

1. In the AWS Management Console, navigate to the GuardDuty service and select "Runtime Monitoring" under the "Protection Plan" section on the left navigation pane.

2. From there, you can enable EC2 Runtime Monitoring by editing the runtime monitoring configuration depending on whether you are doing this in an AWS organisation or Single AWS Account

AWS Organization

a. You have to enable runtime monitoring, either for all account(recommended) or choose the account your want to include manually.

then,

b. scroll to the bottom and enable the "Automated Agent Configuration - Amazon EC2" option and save

Single AWS Account

a. You have to enable runtime monitoring.

b. scroll to the bottom and enable the "Automated Agent Configuration - Amazon EC2" option and save

GuardDuty simplifies the deployment of the security agent on your EC2 instances by leveraging AWS Systems Manager. The agent communicates with your Amazon VPC endpoint to receive runtime events associated with your resources.

Monitoring EC2 Instance Runtime Coverage

Once enabled, you can view the covered EC2 instances, their account IDs, coverage status, and whether the agent can receive runtime events from the corresponding resource in the "EC2 Instance Runtime Coverage" section.

Even if the coverage status is "unhealthy," meaning it's not currently receiving runtime findings, GuardDuty continues to provide threat detection for your EC2 instances by monitoring CloudTrail, VPC flow, and DNS logs associated with them.

When GuardDuty detects potential threats, it generates security findings that you can view and investigate. GuardDuty currently supports over 30 runtime security findings for EC2 instances, such as detecting abused domains, backdoors, cryptocurrency-related activity, and unauthorized communication.

Integrating with Other AWS Services

GuardDuty EC2 Runtime Monitoring can be integrated with other AWS services like AWS Security Hub or Amazon Detective. Additionally, you can use Amazon EventBridge to integrate with security event management or workflow systems like Splunk, Jira, or ServiceNow, or trigger automated and semi-automated responses like isolating workloads for investigation.

Conclusion

With Amazon GuardDuty EC2 Runtime Monitoring, AWS customers can enhance their threat detection capabilities for EC2 instances, gaining visibility into on-host operating system and container-level activities. By enabling this feature, organizations can strengthen their security posture and respond more effectively to potential threats targeting their EC2 workloads.