AWS guardduty medium security documentation change
Summary
Updated exclusion tag requirements to specify enabling 'Allow tags in metadata' for IMDS access
Security assessment
This change addresses a security configuration requirement for proper agent exclusion tag processing. Incorrect IMDS tag access settings could lead to improper security agent deployment, potentially leaving instances unprotected. The documentation now explicitly requires enabling tag access in metadata service for security controls to function correctly.
Diff
diff --git a/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md b/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md index 113655f9b..b68dfdc7c 100644 --- a//guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md +++ b//guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md @@ -123 +123 @@ Ensure that you add the exclusion tag to your Amazon EC2 instances before you la - * For the exclusion tags to work, update the instance configuration so that the instance identity document is available in instance metadata service (IMDS). Procedure to do this step is already a part of [Enabling Runtime Monitoring](./runtime-monitoring-configuration.html) for your account. + * Enable **Allow tags in metadata** setting for your instances. This setting is required because GuardDuty needs to read the exclusion tag from the instance metadata service (IMDS) to determine whether it should exclude the instance from agent installation. For more information, see [Enable access to tags in instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-tags-in-IMDS.html#allow-access-to-tags-in-IMDS) in the _Amazon EC2 User Guide_.