# Managing security agent manually for Amazon EKS cluster
This section describes how you can manage your Amazon EKS add-on agent (GuardDuty agent) after you enable Runtime Monitoring (or EKS Runtime Monitoring). To use Runtime Monitoring, you must enable Runtime Monitoring and configure the Amazon EKS add-on, `aws-guardduty-agent`. You require to perform both the steps for GuardDuty to detect potential threats and generate [GuardDuty Runtime Monitoring finding types](findings-runtime-monitoring.md).
For managing the agent manually, you need to create a VPC endpoint as a prerequisite. This helps GuardDuty receive the runtime events. After this, you can install the security agent so that GuardDuty will start receiving the runtime events from the Amazon EKS resources. When GuardDuty releases a new agent version for this resource, you can update the agent version in your account.
**Topics**
+ [Prerequisite – Creating an Amazon VPC endpoint](eksrunmon-prereq-deploy-security-agent.md)
+ [Installing GuardDuty security agent manually on Amazon EKS resources](eksrunmon-deploy-security-agent.md)
+ [Updating security agent manually for Amazon EKS resources](eksrunmon-update-security-agent.md)
# Prerequisite – Creating an Amazon VPC endpoint
Before you can install the GuardDuty security agent, you must create an Amazon Virtual Private Cloud (Amazon VPC) endpoint. This will help GuardDuty receive the runtime events of your Amazon EKS resources.
**Note**
There is no additional cost for the usage of the VPC endpoint.
Choose a preferred access method to create an Amazon VPC endpoint.
------
#### [ Console ]
**To create a VPC endpoint**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Endpoints**.
1. Choose **Create Endpoint**.
1. On the **Create endpoint** page, for **Service category**, choose **Other endpoint services**.
1. For **Service name**, enter **com.amazonaws.*us-east-1*.guardduty-data**.
Make sure to replace *us-east-1* with the correct Region. This must be the same Region as the EKS cluster that belongs to your AWS account ID.
1. Choose **Verify service**.
1. After the service name is successfully verified, choose the **VPC** where your cluster resides. Add the following policy to restrict VPC endpoint usage to specified account only. With the organization `Condition` provided below this policy, you can update the following policy to restrict access to your endpoint. To provide VPC endpoint support to specific account IDs in your organization, see [Organization condition to restrict access to your endpoint](#gdu-shared-vpc-endpoint-org).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
},
{
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "111122223333"
}
},
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Principal": "*"
}
]
}
```
------
The `aws:PrincipalAccount` account ID must match the account containing the VPC and VPC endpoint. The following list shows how to share the VPC endpoint with other AWS account IDs:
**Organization condition to restrict access to your endpoint**
+ To specify multiple accounts to access the VPC endpoint, replace `"aws:PrincipalAccount": "111122223333"` with the following:
```
"aws:PrincipalAccount": [
"666666666666",
"555555555555"
]
```
+ To allow all the members from an organization to access the VPC endpoint, replace `"aws:PrincipalAccount": "111122223333"` with the following:
```
"aws:PrincipalOrgID": "o-abcdef0123"
```
+ To restrict accessing a resource to an organization ID, add your `ResourceOrgID` to the policy.
For more information, see [ResourceOrgID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid).
```
"aws:ResourceOrgID": "o-abcdef0123"
```
1. Under **Additional settings**, choose **Enable DNS name**.
1. Under **Subnets**, choose the subnets in which your cluster resides.
1. Under **Security groups**, choose a security group that has the in-bound port 443 enabled from your VPC (or your EKS cluster). If you don't already have a security group that has an in-bound port 443 enabled, [Create a security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#creating-security-group).
If there is an issue while restricting the in-bound permissions to your VPC (or instance), you can the in-bound 443 port from any IP address `(0.0.0.0/0)`. However, GuardDuty recommends using IP addresses that matches the CIDR block for your VPC. For more information, see [VPC CIDR blocks](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-cidr-blocks.html) in the *Amazon VPC User Guide*.
------
#### [ API/CLI ]
**To create a VPC endpoint**
+ Invoke [CreateVpcEndpoint](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpcEndpoint.html).
+ Use the following values for the parameters:
+ For **Service name**, enter **com.amazonaws.*us-east-1*.guardduty-data**.
Make sure to replace *us-east-1* with the correct Region. This must be the same Region as the EKS cluster that belongs to your AWS account ID.
+ For [DNSOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DnsOptions.html), enable private DNS option by setting it to `true`.
+ For AWS Command Line Interface, see [create-vpc-endpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-vpc-endpoint.html).
------
After you have followed the steps, see [Validating VPC endpoint configuration](validate-vpc-endpoint-config-runtime-monitoring.md) to ensure that the VPC endpoint was set up correctly.
# Installing GuardDuty security agent manually on Amazon EKS resources
This section describes how you can deploy the GuardDuty security agent for the first time for specific EKS clusters. Before you proceed with this section, make sure you have already set up the prerequisites and enabled Runtime Monitoring for your accounts. The GuardDuty security agent (EKS add-on) will not work if you do not enable Runtime Monitoring.
Choose your preferred access method to deploy the GuardDuty security agent for the first time.
------
#### [ Console ]
1. Open the Amazon EKS console at [https://console.aws.amazon.com/eks/home\$1/clusters](https://console.aws.amazon.com/eks/home#/clusters).
1. Choose your **Cluster name**.
1. Choose the **Add-ons** tab.
1. Choose **Get more add-ons**.
1. On the **Select add-ons** page, choose **Amazon GuardDuty EKS Runtime Monitoring**.
1. GuardDuty recommends choosing the latest and default agent **Version**.
1. On the **Configure selected add-on settings** page, use the default settings. If the **Status** of your EKS add-on is **Requires activation**, choose **Activate GuardDuty**. This action will open the GuardDuty console to configure Runtime Monitoring for your accounts.
1. After you've configured Runtime Monitoring for your accounts, switch back to the Amazon EKS console. The **Status** of your EKS add-on should have changed to **Ready to install**.
1.
**(Optional) Providing EKS add-on configuration schema**
For the add-on **Version**, if you choose **v1.5.0** or above, Runtime Monitoring supports configuring specific parameters of the GuardDuty agent. For information about parameter ranges, see [Configure EKS add-on parameters](guardduty-configure-security-agent-eks-addon.md).
1. Expand **Optional configuration settings** to view the configurable parameters and their expected value and format.
1. Set the parameters. The values must be in the range provided in [Configure EKS add-on parameters](guardduty-configure-security-agent-eks-addon.md).
1. Choose **Save changes** to create the add-on based on the advanced configuration.
1. For **Conflict resolution method**, the option that you choose will be used to resolve a conflict when you update the value of a parameter to a non-default value. For more information about the listed options, see [resolveConflicts](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html#AmazonEKS-UpdateAddon-request-resolveConflicts) in the *Amazon EKS API Reference*.
1. Choose **Next**.
1. On the **Review and create** page, verify all the details, and choose **Create**.
1. Navigate back to the cluster details and choose the **Resources** tab.
1. You can view the new pods with the prefix **aws-guardduty-agent**.
------
#### [ API/CLI ]
You can configure the Amazon EKS add-on agent (`aws-guardduty-agent`) using either of the following options:
+ Run [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) for your account.
+
**Note**
For the add-on `version`, if you choose **v1.5.0 or above**, Runtime Monitoring supports configuring specific parameters of the GuardDuty agent. For more information, see [Configure EKS add-on parameters](guardduty-configure-security-agent-eks-addon.md).
Use the following values for the request parameters:
+ For `addonName`, enter `aws-guardduty-agent`.
You can use the following AWS CLI example when using configurable values supported for add-on versions `v1.5.0` or above. Make sure to replace the placeholder values highlighted in red and the associated `Example.json` with the configured values.
```
aws eks create-addon --region us-east-1 --cluster-name myClusterName --addon-name aws-guardduty-agent --addon-version v1.12.1-eksbuild.2 --configuration-values 'file://example.json'
```
**Example.json**
```
{
"priorityClassName": "aws-guardduty-agent.priorityclass-high",
"dnsPolicy": "Default",
"resources": {
"requests": {
"cpu": "237m",
"memory": "512Mi"
},
"limits": {
"cpu": "2000m",
"memory": "2048Mi"
}
}
}
```
+ For information about supported `addonVersion`, see [Kubernetes versions supported by GuardDuty security agent](prereq-runtime-monitoring-eks-support.md#gdu-agent-supported-k8-version).
+ Alternatively, you can use AWS CLI. For more information, see [create-addon](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/create-addon.html).
------
**Private DNS names for VPC endpoint**
By default, the security agent resolves and connects to the private DNS name of the VPC endpoint. For a non-FIPS endpoint, your private DNS will appear in the following format:
Non-FIPS endpoint – `guardduty-data.us-east-1.amazonaws.com`
The AWS Region, *us-east-1*, will change based on your Region.
# Updating security agent manually for Amazon EKS resources
When you manage the GuardDuty security agent manually, you are responsible to update it for your account. For notification about new agent versions, you can subscribe to an RSS feed to [GuardDuty security agent release versions](runtime-monitoring-agent-release-history.md).
You can update the security agent to the latest version to benefit from the added support and improvements. If your current agent version is reaching an end of standard support, then to continue using Runtime Monitoring (or EKS Runtime Monitoring), you must update to a next available or the latest agent version.
**Prerequisite**
Before you update the security agent version, make sure that the agent version that you're planning to use now, is compatible with your Kubernetes version. For more information, see [Kubernetes versions supported by GuardDuty security agent](prereq-runtime-monitoring-eks-support.md#gdu-agent-supported-k8-version).
------
#### [ Console ]
1. Open the Amazon EKS console at [https://console.aws.amazon.com/eks/home\$1/clusters](https://console.aws.amazon.com/eks/home#/clusters).
1. Choose your **Cluster name**.
1. Under the **Cluster info**, choose the **Add-ons** tab.
1. Under the **Add-ons** tab, select **GuardDuty EKS Runtime Monitoring**.
1. Choose **Edit** to update the agent details.
1. On the **Configure GuardDuty EKS Runtime Monitoring** page, update the details.
1.
**(Optional) Updating Optional configuration settings**
If your EKS add-on **Version** is *1.5.0* or above, you can also update the add-on configuration schema.
1. Expand **Optional configuration settings** to view the configuration schema.
1. Update the parameter values based on the range provided in [Configure EKS add-on parameters](guardduty-configure-security-agent-eks-addon.md).
1. Choose **Save changes** to start the update.
1. For **Conflict resolution method**, the option that you choose will be used to resolve a conflict when you update the value of a parameter to a non-default value. For more information about the listed options, see [resolveConflicts](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html#AmazonEKS-UpdateAddon-request-resolveConflicts) in the *Amazon EKS API Reference*.
------
#### [ API/CLI ]
To update the GuardDuty security agent for your Amazon EKS clusters, see [Updating an add-on](https://docs.aws.amazon.com/eks/latest/userguide/managing-add-ons.html#updating-an-add-on).
**Note**
For the add-on `version`, if you choose **1.5.0 or above**, Runtime Monitoring supports configuring specific parameters of the GuardDuty agent. For information about parameter ranges, see [Configure EKS add-on parameters](guardduty-configure-security-agent-eks-addon.md).
You can use the following AWS CLI example when using configurable values supported for add-on versions *1.5.0 and above*. Make sure to replace the placeholder values highlighted in red and the associated `Example.json` with the configured values.
```
aws eks update-addon --region us-east-1 --cluster-name myClusterName --addon-name aws-guardduty-agent --addon-version v1.12.1-eksbuild.2 --configuration-values 'file://example.json'
```
**Example.json**
```
{
"priorityClassName": "aws-guardduty-agent.priorityclass-high",
"dnsPolicy": "Default",
"resources": {
"requests": {
"cpu": "237m",
"memory": "512Mi"
},
"limits": {
"cpu": "2000m",
"memory": "2048Mi"
}
}
}
```
------
If your Amazon EKS add-on version is 1.5.0 or above, and you have configured the add-on schema, you can verify whether or not the values appear correctly for your cluster. For more information, see [Verifying configuration schema updates](guardduty-configure-security-agent-eks-addon.md#gdu-verify-eks-add-on-configuration-param).