GuardDuty detector has EKS Runtime Monitoring enabled
guardduty_eks_runtime_monitoring_enabled
GuardDuty detectors are evaluated for EKS Runtime Monitoring being enabled for Amazon EKS. The configuration is at the detector level and relates to visibility into process, file, and network activity on EKS nodes and containers.
Risk
Absent EKS runtime monitoring, in-cluster activity is blind to detection. Adversaries can run malware or cryptominers, exfiltrate secrets via pods, tamper with workloads, or pivot to other services, degrading confidentiality, corrupting integrity, and exhausting resources (availability).
prowler aws --checks guardduty_eks_runtime_monitoring_enabled
Recommendation
- Enable EKS Runtime Monitoring with automated agent management across all accounts and clusters
- Enforce least privilege for agents and segment cluster access
- Integrate findings with response workflows and periodically verify runtime coverage
Remediation
aws guardduty update-detector --detector-id <detector-id> --features name=EKS_RUNTIME_MONITORING,status=ENABLED
- Open the AWS Console and go to Amazon GuardDuty
- In the left pane, select Settings > Runtime monitoring
- Under EKS Runtime Monitoring, switch the status to Enabled
- Click Save changes
Source Code
Resource Type
AwsGuardDutyDetector