AWS guardduty documentation change
Summary
Updated documentation to clarify shared VPC usage with Runtime Monitoring, added distinction between automated/manual agent management, and emphasized recommended security practices
Security assessment
The changes enhance security documentation by emphasizing automated agent configuration as the recommended approach, warning about potential coverage inaccuracies in manual setups, and explaining VPC endpoint policy requirements. While these are security best practices, there is no evidence of addressing a specific disclosed vulnerability.
Diff
diff --git a/guardduty/latest/ug/runtime-monitoring-shared-vpc.md b/guardduty/latest/ug/runtime-monitoring-shared-vpc.md index 59de60f9f..0acf4c54b 100644 --- a//guardduty/latest/ug/runtime-monitoring-shared-vpc.md +++ b//guardduty/latest/ug/runtime-monitoring-shared-vpc.md @@ -7 +7 @@ How it worksPrerequisites -# Using shared VPC with automated security agents +# Using shared VPC with Runtime Monitoring @@ -9 +9 @@ How it worksPrerequisites -When you choose GuardDuty to manage the security agent automatically, Runtime Monitoring supports using a shared VPC for the AWS accounts that belong to the same organization in AWS Organizations. On your behalf, GuardDuty can set the Amazon VPC endpoint policy based on the details associated with the shared VPC for your organization. +GuardDuty Runtime Monitoring supports using shared Amazon Virtual Private Cloud (Amazon VPC) for your AWS accounts that belong to the same organization in AWS Organizations. You can use shared VPC in two ways: @@ -11 +11,12 @@ When you choose GuardDuty to manage the security agent automatically, Runtime Mo -###### Contents + * **Automated agent configuration (Recommended)** – When GuardDuty automatically manages the security agent, it will also configure the Amazon VPC endpoint policy. This policy is based on your organization's shared VPC settings. + +You must enable automated agent configuration in the shared VPC owner account and all the participating accounts who will share this VPC. + + * **Manually managed agent** – When you manually manage the security agent with shared VPC, you must update the VPC endpoint policy to allow corresponding accounts to access shared VPC. To do this, you can use the example policy shared in the following How it works section. + +For manual management scenarios involving participating accounts for shared VPC, the coverage status may not be accurate. To ensure up-to-date protection and coverage status of your resources, GuardDuty recommends enabling automated agent configuration for all the accounts that will use shared VPC. + + + + +###### Topics @@ -22 +33 @@ When you choose GuardDuty to manage the security agent automatically, Runtime Mo -When the owner account of the shared VPC enables Runtime Monitoring and automated agent configuration for any of the resources (Amazon EKS or AWS Fargate (Amazon ECS only)), all the shared VPCs become eligible for automatic installation of the shared Amazon VPC endpoint and the associated security group in the shared VPC owner account. GuardDuty retrieves the organization ID that is associated with the shared Amazon VPC. +The AWS accounts that belong to the same organization as the shared Amazon VPC owner account can also share the same Amazon VPC endpoint. Each of the accounts using the same Amazon VPC endpoint policy is called as the **participant AWS account** of the associated shared Amazon VPC. @@ -24 +35 @@ When the owner account of the shared VPC enables Runtime Monitoring and automate -Now, the AWS accounts that belong to the same organization as the shared Amazon VPC owner account can also share the same Amazon VPC endpoint. GuardDuty creates an Amazon VPC endpoint when either the shared VPC owner account or the participating account needs it. Examples of needing an Amazon VPC endpoint include enabling GuardDuty, Runtime Monitoring, EKS Runtime Monitoring, or launching a new Amazon ECS-Fargate task. When these accounts enable Runtime Monitoring and automated agent configuration for any resource type, GuardDuty creates an Amazon VPC endpoint and sets the endpoint policy with the same organization ID as that of the shared VPC owner account. GuardDuty adds a `GuardDutyManaged` tag and sets it to `true` for the Amazon VPC endpoint that GuardDuty creates. If the shared Amazon VPC owner account has not enabled Runtime Monitoring or automated agent configuration for any of the resources, GuardDuty will not set the Amazon VPC endpoint policy. For information about configuring Runtime Monitoring and managing the security agent automatically in the shared VPC owner account, see [Enabling GuardDuty Runtime Monitoring](./runtime-monitoring-configuration.html). +The following example shows the default VPC endpoint policy of the shared VPC owner account and the participant account. The `aws:PrincipalOrgID` will show the organization ID associated with the shared VPC resource. The use of this policy is limited to the participant accounts present in the organization of the owner account. @@ -26 +37 @@ Now, the AWS accounts that belong to the same organization as the shared Amazon -Each of the accounts using the same Amazon VPC endpoint policy is called as the **participant AWS account** of the associated shared Amazon VPC. +###### @@ -28 +39 @@ Each of the accounts using the same Amazon VPC endpoint policy is called as the -The following example shows the default VPC endpoint policy of the shared VPC owner account and the participant account. The `aws:PrincipalOrgID` will show the organization ID associated with the shared VPC resource. The use of this policy is limited to the participant accounts present in the organization of the owner account. +Example shared VPC endpoint policy @@ -54,0 +66,14 @@ Show moreShow less +### With GuardDuty automatic agent configuration + +When the owner account of the shared VPC enables Runtime Monitoring and automated agent configuration for any of the resources (Amazon EKS or AWS Fargate (Amazon ECS only)), all the shared VPCs become eligible for automatic installation of the shared Amazon VPC endpoint and the associated security group in the shared VPC owner account. GuardDuty retrieves the organization ID that is associated with the shared Amazon VPC. + +GuardDuty creates an Amazon VPC endpoint when either the shared VPC owner account or the participating account needs it. Examples of needing an Amazon VPC endpoint include enabling GuardDuty, Runtime Monitoring, EKS Runtime Monitoring, or launching a new Amazon ECS-Fargate task. When these accounts enable Runtime Monitoring and automated agent configuration for any resource type, GuardDuty creates an Amazon VPC endpoint and sets the endpoint policy with the same organization ID as that of the shared VPC owner account. GuardDuty adds a `GuardDutyManaged` tag and sets it to `true` for the Amazon VPC endpoint that GuardDuty creates. If the shared Amazon VPC owner account has not enabled Runtime Monitoring or automated agent configuration for any of the resources, GuardDuty will not set the Amazon VPC endpoint policy. For information about configuring Runtime Monitoring and managing the security agent automatically in the shared VPC owner account, see [Enabling GuardDuty Runtime Monitoring](./runtime-monitoring-configuration.html). + +### Using with manually managed agent + +When you use shared VPC with manually managed agent, validate that there is no explicit `Deny` endpoint policy that blocks any account that needs to use the shared VPC. This will prevent the security agent from sending telemetry to GuardDuty, resulting in an `Unhealthy` coverage status. For setting up the endpoint policy, see Example shared VPC endpoint policy. + +Runtime coverage may not be accurate in scenarios such as missing permissions to the shared VPC. You can continuously monitor resource coverage by following the steps for your resource type in [Reviewing runtime coverage statistics and troubleshooting issues](./runtime-monitoring-assessing-coverage.html). + +To ensure continuous Runtime Monitoring protection of your compute resources, GuardDuty recommends enabling automated agent configuration for the shared VPC owner account and all the participating accounts for your resources. + @@ -57 +82 @@ Show moreShow less -Runtime Monitoring supports using a shared VPC when you use GuardDuty automated agent. As a part of an initial setup, perform the following steps in the AWS account that you want to be the owner of the shared VPC: +As a part of an initial setup, perform the following steps in the AWS account that you want to be the owner of the shared VPC: @@ -63 +88 @@ For information about adding or removing member accounts, see [Managing AWS acco - 2. **Creating a shared VPC resource** – You can create a shared VPC resource from the owner account. For more information, see [Share your VPC with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-prerequisites) in the _Amazon VPC User Guide_. + 2. **Creating a shared VPC resource** – You can create a shared VPC resource from the owner account. For more information, see [Share your VPC subnets with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html) in the _Amazon VPC User Guide_.