DEV Community

1

Elevating Security with Amazon GuardDuty Runtime Monitoring for ECS

With the majority of our applications now being cloud-native and containerized, ensuring security has become paramount. While static security measures, such as image scanning with Amazon Inspector, play a crucial role, monitoring container security during runtime is equally important. This is where ECS Runtime Monitoring with Amazon GuardDuty comes into play. GuardDuty Runtime Monitoring, now over a year in general availability, has proven its effectiveness in detecting runtime security threats across EC2 instances, ECS Clusters, and EKS Clusters. In this blog, we'll walk through enabling runtime monitoring for your ECS Cluster, generating GuardDuty findings, and setting up alerts for both runtime monitoring health and GuardDuty Findings to enhance your security posture.

Enabling the fully managed GuardDuty Agent

Enabling the GuardDuty Agent

When we deploy the GuardDuty security agent, GuardDuty will create a VPC Endpoint for the security agent to deliver runtime security events to GuardDuty. Alongside it will also create a new security group that will control the traffic that's allowed to reach the resources using inbound rules of the security group and will adapt to vpc cidr range changes.

ECS Cluster

I started with an existing ECS Cluster with a single task running on AWS Fargate.

ECS Fargate Cluster

Within the task configuration, you'll notice two containers running:

  • Main Application Container
  • Sidecar Container launched by AWS to run the Amazon GuardDuty agent

ECS Task Configuration

GuardDuty actively monitoring the ECS Cluster

GuardDuty Runtime Monitoring

GuardDuty Runtime Monitoring Alerts

It is essential to configure alerts for when GuardDuty Runtime Monitoring enters an unhealthy state or when a Runtime Monitoring Finding is detected.

To achieve this, I have configured EventBridge rules with Amazon SNS as the target to trigger email notifications for both.

GuardDuty Runtime Monitoring Unhealthy State Alert

I manually scaled down the ECS service from 1 to 0, so that the GuardDuty agent is no longer able to communicate with Amazon GuardDuty and the Runtime Monitoring status is pushed to an unhealthy state.

Event Pattern for Eventbridge Rule:

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Runtime Protection Unhealthy"]
}
Enter fullscreen mode Exit fullscreen mode

Unhealthy GuardDuty Runtime Monitoring

Unhealthy Runtime Monitoring Notification

GuardDuty Runtime Monitoring Findings Alert

I generated sample findings in GuardDuty to test and validate the alerting mechanism.

Event Pattern for Eventbridge Rule:

{
  "source": ["aws.guardduty"],
  "detail": {
    "type": ["Backdoor:Runtime/C&CActivity.B", "PrivilegeEscalation:Runtime/DockerSocketAccessed"]
  }
}
Enter fullscreen mode Exit fullscreen mode

You can find the full list of GuardDuty Runtime Monitoring Finding Types here.

Sample Findings Generated

Sample Findings

Alerts on Runtime Findings

Conclusion

I hope this blog serves as a great starting point for exploring this exciting feature. Below, I've compiled a few additional resources that will help you dive deeper and make the most of it.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Create a simple OTP system with AWS Serverless cover image

Create a simple OTP system with AWS Serverless

Implement a One Time Password (OTP) system with AWS Serverless services including Lambda, API Gateway, DynamoDB, Simple Email Service (SES), and Amplify Web Hosting using VueJS for the frontend.

Read full post

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay