Posted On: Jan 26, 2022

Amazon GuardDuty has expanded coverage to continuously monitor and profile Amazon Elastic Kubernetes Service (Amazon EKS) cluster activity to identify malicious or suspicious behavior that represents potential threats to container workloads. Amazon GuardDuty for EKS Protection monitors control plane activity by analyzing Kubernetes audit logs from existing and new Amazon EKS clusters in your accounts. GuardDuty is integrated with Amazon EKS, giving it direct access to the Kubernetes audit logs without requiring you to turn on or store these logs. Once a threat is detected, GuardDuty generates a security finding that includes container details such as pod ID, container image ID, and associated tags. 

At launch, GuardDuty for EKS Protection includes 27 new GuardDuty finding types that can help detect threats related to user and application activity captured in Kubernetes audit logs. Newly added Kubernetes threat detections include Amazon EKS clusters that are accessed by known malicious actors or from Tor nodes, API operations performed by anonymous users that might indicate a misconfiguration, and misconfigurations that can result in unauthorized access to Amazon EKS clusters. Also, using machine learning (ML) models, GuardDuty can identify patterns consistent with privilege-escalation techniques, such as a suspicious launch of a container with root-level access to the underlying Amazon Elastic Compute Cloud (Amazon EC2) host. See Amazon GuardDuty Findings Types for a complete and detailed list of all new detections.

The first 30 days of GuardDuty for EKS Protection are available at no additional charge for existing GuardDuty accounts. For new accounts, GuardDuty for EKS Protection is part of the 30-day Amazon GuardDuty free trial. During the trial period you can see the estimated cost of running the service after the trial period ends in the GuardDuty Management Console. GuardDuty optimizes your costs by only processing logs relevant for analysis. GuardDuty for EKS Protection is available in all AWS regions where GuardDuty is available. To receive programmatic updates on new Amazon GuardDuty features and threat detections, subscribe to the Amazon GuardDuty SNS topic.

Updated February 8, 2022: Amazon GuardDuty for EKS Protection no longer enabled by default

This What's New was updated to reflect the decision that was made based on customer feedback, for current Amazon GuardDuty customers, AWS will no longer enable by default GuardDuty for EKS Protection. All existing GuardDuty customers that had EKS Protection enabled were in a free usage period until Monday February 7, 2022, at which time GuardDuty for EKS Protection was no longer on, and will remain off by default. Customers can now choose to re-enable GuardDuty for EKS Protection at the time of their choosing with a few clicks in the Amazon GuardDuty console or through the APIs. All accounts that enable GuardDuty for EKS Protection will receive 30 days of free usage and an estimated spend will be available in the GuardDuty console to help with planning purposes after the free period expires. After the free usage period, GuardDuty for EKS Protection will continue to monitor EKS workloads and can be disabled at any time. All EKS Protection security findings generated between January 26, 2022 and February 7, 2022 will be available for review for the next 90 days.