AWS guardduty documentation change
Summary
Added explanation about GuardDuty container image storage in ECR/S3 and network configuration requirements for image access.
Security assessment
This change provides implementation details about security monitoring infrastructure but does not address a specific security vulnerability. It enhances documentation about security feature prerequisites without indicating a resolved security issue.
Diff
diff --git a/guardduty/latest/ug/how-runtime-monitoring-works-ecs-fargate.md b/guardduty/latest/ug/how-runtime-monitoring-works-ecs-fargate.md index 9bae9d04f..fb881b942 100644 --- a//guardduty/latest/ug/how-runtime-monitoring-works-ecs-fargate.md +++ b//guardduty/latest/ug/how-runtime-monitoring-works-ecs-fargate.md @@ -33,0 +34,2 @@ For a new Fargate task or service that starts running, a GuardDuty container (si +The GuardDuty sidecar container image is stored in Amazon Elastic Container Registry (Amazon ECR), with its image layers stored in Amazon S3. When your task starts, it needs to pull this image from ECR. Depending on your network configuration, this may require specific settings to ensure access to both ECR and S3. For example, if you're using security groups with restricted access, you'll need to allow access to the S3 managed prefix list. For more information on how to do this, see [Prerequisites for container image access](./prereq-runtime-monitoring-ecs-support.html#before-enable-runtime-monitoring-ecs). +