[Enhancement]: Add EKS Runtime monitoring to Guard Duty

[be-aws-architect]

Description

Guard Duty now supports EKS Runtime monitoring, but it is not configurable in Terraform at the moment.

Affected Resource(s) and/or Data Source(s)

• aws_guardduty_detector
• aws_guardduty_organization_configuration

Potential Terraform Configuration

It currently allows EKS Audit Logs in the format

resource "aws_guardduty_detector" "MyDetector" {
  enable = true

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = false
      }
    }

It would look like 

resource "aws_guardduty_detector" "MyDetector" {
  enable = true

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
      runtime {
       enabled = true
    }

References

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[autarchprinceps]

This should probably also include not just the runtime, but also the runtime agent deployment:

[andrew-ar]

As EKS Runtime Monitoring is an EKS add-on, I'm wondering if the deployment of the runtime agent would be done by using the existing aws_eks_addon resource? It looks like that's designed in a pretty generic way so maybe it won't need changes.

That said, it would be helpful to have a bit of documentation on how to configure the monitoring agent, as it seems like there are at least a few config options and it would be good to have an example. Perhaps the config would sit under the aws_guardduty_organization_configuration resource, or perhaps some might end up under aws_eks_addon, it would be good to understand where it would go and what it would look like.

[macmiranda]

As EKS Runtime Monitoring is an EKS add-on, I'm wondering if the deployment of the runtime agent would be done by using the existing aws_eks_addon resource? It looks like that's designed in a pretty generic way so maybe it won't need changes.

That said, it would be helpful to have a bit of documentation on how to configure the monitoring agent, as it seems like there are at least a few config options and it would be good to have an example. Perhaps the config would sit under the aws_guardduty_organization_configuration resource, or perhaps some might end up under aws_eks_addon, it would be good to understand where it would go and what it would look like.

The add-on needs to be enabled for the agent to gather events and send them to Guardduty but the Guardduty feature needs to be enabled nevertheless.

Example CLI command:

aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --acount-ids 555555555555 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "DISABLED"}] ]'

[autarchprinceps]

As EKS Runtime Monitoring is an EKS add-on, I'm wondering if the deployment of the runtime agent would be done by using the existing aws_eks_addon resource? It looks like that's designed in a pretty generic way so maybe it won't need changes.

That said, it would be helpful to have a bit of documentation on how to configure the monitoring agent, as it seems like there are at least a few config options and it would be good to have an example. Perhaps the config would sit under the aws_guardduty_organization_configuration resource, or perhaps some might end up under aws_eks_addon, it would be good to understand where it would go and what it would look like.

No, that is something else. This is the org wide auto enablement of the deployment of that EKS addon and is a guardduty setting. You can of course manually deploy it, but that is not what we are talking about here.

[ewbankkit]

You will be able to use the upcoming aws_guardduty_detector_feature resource (https://github.com/hashicorp/terraform-provider-aws/pull/31463):

resource "aws_guardduty_detector" "example" {
  enable = true
}

resource "aws_guardduty_detector_feature" "example" {
  detector_id = aws_guardduty_detector.example.id
  name        = "EKS_RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }
}

[github-actions[bot]]

This functionality has been released in v5.20.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.