AWS guardduty documentation change
Summary
Updated prerequisites for EC2 runtime monitoring including OS/kernel requirements, multi-account SCP validation, and documentation structure improvements
Security assessment
Changes clarify security configuration requirements (e.g., SCP permissions for SendSecurityTelemetry) and system requirements for the GuardDuty agent, but no evidence of addressing a specific vulnerability
Diff
diff --git a/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md b/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md index d0f948c3d..ee224b512 100644 --- a//guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md +++ b//guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md @@ -5 +5 @@ -Make EC2 instances SSM managedValidating architectural requirementsValidating your organization service control policyWhen using automated agent configurationCPU and memory limitNext step +Make EC2 instances SSM managedValidate architectural requirementsValidating your organization service control policy in a multi-account environmentWhen using automated agent configurationCPU and memory limitNext step @@ -10,0 +11,17 @@ This section includes the prerequisites for monitoring runtime behavior of your +###### Topics + + * Make EC2 instances SSM managed + + * Validate architectural requirements + + * Validating your organization service control policy in a multi-account environment + + * When using automated agent configuration + + * CPU and memory limit for GuardDuty agent + + * Next step + + + + @@ -23 +40 @@ For information about supported platforms, see [Supported package platforms and -## Validating architectural requirements +## Validate architectural requirements @@ -27 +44,3 @@ The architecture of your OS distribution might impact how the GuardDuty security - * The following table shows the OS distribution that has been verified to support the GuardDuty security agent for Amazon EC2 instances. + * Kernel support includes `eBPF`, `Tracepoints` and `Kprobe`. For CPU architectures, Runtime Monitoring supports AMD64 (`x64`) and ARM64 (Graviton2 and above)1. + +The following table shows the OS distribution that has been verified to support the GuardDuty security agent for Amazon EC2 instances. @@ -29,7 +48,5 @@ The architecture of your OS distribution might impact how the GuardDuty security -**OS distribution**1**** | **Kernel version**2**** | **Kernel support** | **CPU architecture** ----|---|---|--- -**x64 (AMD64)** | **Graviton (ARM64)** - * AL2 and AL2023 - * Ubuntu 20.04 and Ubuntu 22.04 - * Debian 11 and Debian 12 -| 5.43, 5.103, 5.15, 6.1, 6.5, 6.8 | eBPF, Tracepoints, Kprobe | Supported | Supported +OS distribution2 | Kernel version3 +---|--- +Amazon Linux 2 | 5.44, 5.104, 5.15 +Amazon Linux 2023 | 5.44, 5.104, 5.15, 6.1, 6.5, 6.8, 6.12 +Ubuntu 20.04 and Ubuntu 22.04 | 5.44, 5.104, 5.15, 6.1, 6.5, 6.8 @@ -36,0 +54 @@ Ubuntu 24.04 | 6.8 +Debian 11 and Debian 12 | 5.44, 5.104, 5.15, 6.1, 6.5, 6.8 @@ -38 +56 @@ RedHat 9.4 | 5.14 -Fedora4 34.0 | 5.11, 5.17 +Fedora5 34.0 | 5.11, 5.17 @@ -39,0 +58,5 @@ CentOS Stream 9 | 5.14 +Oracle Linux 8.9 | 5.15 +Oracle Linux 9.3 | 5.15 +Rocky Linux 9.5 | 5.14 + + 1. Runtime Monitoring for Amazon EC2 resources doesn't support the first generation Graviton instance such as A1 instance types. @@ -41 +64 @@ CentOS Stream 9 | 5.14 - 1. Support for various operating systems - GuardDuty has verified the support for using Runtime Monitoring on the operating systems that are listed in the preceding table. While using a different operating system, you might get all the expected security value that GuardDuty has verified to provide on the listed OS distributions. + 2. Support for various operating systems - GuardDuty has verified Runtime Monitoring support for the operating distribution listed in the preceding table. While the GuardDuty security agent may run on operating systems not listed in the preceding table, the GuardDuty team cannot guarantee the expected security value. @@ -43 +66 @@ CentOS Stream 9 | 5.14 - 2. For any kernel version, you must set the `CONFIG_DEBUG_INFO_BTF` flag to `y` (meaning _true_). This is required so that the GuardDuty security agent can run as expected. + 3. For any kernel version, you must set the `CONFIG_DEBUG_INFO_BTF` flag to `y` (meaning _true_). This is required so that the GuardDuty security agent can run as expected. @@ -45 +68 @@ CentOS Stream 9 | 5.14 - 3. For kernel versions 5.10 and earlier, the GuardDuty security agent uses locked memory in RAM (`RLIMIT_MEMLOCK`) to function as expected. If your system's `RLIMIT_MEMLOCK` value is set too low, GuardDuty recommends setting both hard and soft limits to at least 32 MB. For information about verifying and modifying the default `RLIMIT_MEMLOCK` value, see Viewing and updating RLIMIT_MEMLOCK values. + 4. For kernel versions 5.10 and earlier, the GuardDuty security agent uses locked memory in RAM (`RLIMIT_MEMLOCK`) to function as expected. If your system's `RLIMIT_MEMLOCK` value is set too low, GuardDuty recommends setting both hard and soft limits to at least 32 MB. For information about verifying and modifying the default `RLIMIT_MEMLOCK` value, see Viewing and updating RLIMIT_MEMLOCK values. @@ -47 +70 @@ CentOS Stream 9 | 5.14 - 4. Fedora is not a supported platform for automated agent configuration. You can deploy the GuardDuty security agent on Fedora by using [Method 2 - Using Linux Package Managers](./installing-gdu-security-agent-ec2-manually.html#install-gdu-by-rpm-scripts-runtime-monitoring). + 5. Fedora is not a supported platform for automated agent configuration. You can deploy the GuardDuty security agent on Fedora by using [Method 2 - Using Linux Package Managers](./installing-gdu-security-agent-ec2-manually.html#install-gdu-by-rpm-scripts-runtime-monitoring). @@ -88 +111 @@ This will display the maximum locked memory for running the GuardDuty security a -## Validating your organization service control policy +## Validating your organization service control policy in a multi-account environment @@ -90 +113 @@ This will display the maximum locked memory for running the GuardDuty security a -If you have set up a service control policy (SCP) to manage permissions in your organization, validate that permissions boundary is not restricting `guardduty:SendSecurityTelemetry`. It is required for GuardDuty to support Runtime Monitoring across different resource types. +If you have set up a service control policy (SCP) to manage permissions in your organization, validate that permissions boundary allows the `guardduty:SendSecurityTelemetry` action. It is required for GuardDuty to support Runtime Monitoring across different resource types.