AWS guardduty medium security documentation change
Summary
Updated documentation for ECS runtime monitoring prerequisites with expanded security configuration details
Security assessment
Added explicit requirements for VPC endpoints in private subnets and security group rules for S3 access. These changes address secure network configurations to prevent exposure of container image downloads to public internet, which could otherwise lead to MITM attacks or unauthorized access. Specific security controls like VPC endpoints and restricted security group rules are security features.
Diff
diff --git a/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md b/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md index 0c03ad629..a5c119d3a 100644 --- a//guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md +++ b//guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md @@ -5 +5 @@ -Validating architectural requirementsProvide ECR permissions and subnet detailsValidating your organization service control policy in a multi-account environmentValidating role permissions and policy permissions boundaryCPU and memory limits +Validating architectural requirementsPrerequisites for container image accessValidating your organization service control policy in a multi-account environmentValidating role permissions and policy permissions boundaryCPU and memory limits @@ -15 +15 @@ This section includes the prerequisites for monitoring runtime behavior of your - * Provide ECR permissions and subnet details + * Prerequisites for container image access @@ -47 +47 @@ Linux | eBPF, Tracepoints, Kprobe | Supported | Supported -## Provide ECR permissions and subnet details +## Prerequisites for container image access @@ -49 +49 @@ Linux | eBPF, Tracepoints, Kprobe | Supported | Supported -Before enabling Runtime Monitoring, you must provide the following details: +The following prerequisites help you access the GuardDuty sidecar container image from the Amazon ECR repository. @@ -51 +51 @@ Before enabling Runtime Monitoring, you must provide the following details: -**Provide a task execution role with permissions** +### Permissions requirements @@ -53,2 +53 @@ Before enabling Runtime Monitoring, you must provide the following details: - -The task execution role requires you to have certain Amazon Elastic Container Registry (Amazon ECR) permissions. You can either use the [AmazonECSTaskExecutionRolePolicy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) managed policy or add the following permissions to your `TaskExecutionRole` policy: +The task execution role requires certain Amazon Elastic Container Registry (Amazon ECR) permissions to download the GuardDuty security agent container image: @@ -66 +65,9 @@ To further restrict the Amazon ECR permissions, you can add the Amazon ECR repos -**Provide subnet details in task definition** +You can either use the [AmazonECSTaskExecutionRolePolicy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) managed policy or add the above permissions to your `TaskExecutionRole` policy. + +### Task definition configuration + +When creating or updating Amazon ECS services, you need to provide subnet information in your task definition: + +Running the [CreateService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateService.html) and [UpdateService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_UpdateService.html) APIs in the _Amazon Elastic Container Service API Reference_ requires you to pass the subnet information. For more information, see [Amazon ECS task definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) in the _Amazon Elastic Container Service Developer Guide_. + +### Network connectivity requirements @@ -67,0 +75 @@ To further restrict the Amazon ECR permissions, you can add the Amazon ECR repos +You must ensure network connectivity to download the GuardDuty container image from Amazon ECR. This requirement is specific to GuardDuty because it uses Amazon ECR to host its security agent. Depending on your network configuration, you need to implement one of the following options: @@ -69 +77 @@ To further restrict the Amazon ECR permissions, you can add the Amazon ECR repos -You can either provide the public subnets as an input in your task definition or create an Amazon ECR VPC endpoint. +**Option 1 - Using public network access (if available)** @@ -71 +78,0 @@ You can either provide the public subnets as an input in your task definition or - * **Using task definition option** – Running the [CreateService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateService.html) and [UpdateService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_UpdateService.html) APIs in the _Amazon Elastic Container Service API Reference_ requires you to pass the subnet information. For more information, see [Amazon ECS task definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) in the _Amazon Elastic Container Service Developer Guide_. @@ -73 +80,8 @@ You can either provide the public subnets as an input in your task definition or - * **Using the Amazon ECR VPC endpoint option** – Provide network path to Amazon ECR to ensure that the Amazon ECR repository URI that hosts the GuardDuty security agent is network accessible. If your Fargate tasks will run in a private subnet, then Fargate will need the network path to download the GuardDuty container. For VPC endpoint setup instructions, see [Create the VPC endpoints for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create) in the _Amazon Elastic Container Registry User Guide_. +If your Fargate tasks run in subnets with outbound internet access, no additional network configuration is required. + +**Option 2 - Using Amazon VPC endpoints (for private subnets)** + + +If your Fargate tasks run in private subnets without internet access, you must configure VPC endpoints for ECR to ensure that the ECR repository URI that hosts the GuardDuty security agent is network accessible. Without these endpoints, tasks in private subnets cannot download the GuardDuty container image. + +For VPC endpoint setup instructions, see [Create the VPC endpoints for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create) in the _Amazon Elastic Container Registry User Guide_. @@ -76,0 +91,3 @@ For information about enabling Fargate to download the GuardDuty container, see +### Security group configuration + +The GuardDuty container images are in Amazon ECR and require Amazon S3 access. This requirement is specific to downloading container images from Amazon ECR. For tasks with restricted network access, you must configure your security groups to allow access to S3. @@ -77,0 +95 @@ For information about enabling Fargate to download the GuardDuty container, see +Add an outbound rule in your security group that allows traffic to the [S3 managed prefix list (`pl-xxxxxxxx`) on port 443](https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html#gateway-endpoint-security). To add an outbound rule, see [Configure security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-security-group-rules.html) in the _Amazon VPC User Guide_. @@ -78,0 +97 @@ For information about enabling Fargate to download the GuardDuty container, see +To view your AWS-managed prefix lists in the console or describe them by using AWS Command Line Interface (AWS CLI), see [AWS-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) in the _Amazon VPC User Guide_.