4 Mins Read

How to Monitor Amazon ECS with Amazon GuardDuty Runtime

Introduction to Amazon GuardDuty

Amazon GuardDuty is an intelligent threat-detection service that monitors your accounts and workloads to detect malicious activity and unauthorized behavior across your AWS environment. Amazon GuardDuty combines Machine Learning (ML), anomaly detection, and malicious file discovery, using industry-leading sources and AWS to detect malicious activities and give insights so that we can remediate them. Amazon GuardDuty analyses multiple events across multiple AWS sources, AWS CloudTrail logs, DNS query logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon Simple Storage Service (Amazon S3) data events, Amazon Aurora login events, runtime activity for Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS)—including serverless container workloads on AWS Fargate and Amazon Elastic Compute Cloud (Amazon EC2) (Preview). The Amazon GuardDuty generated findings are sent to Amazon Detective for deep investigation, Amazon EventBridge to implement remediation, and Amazon Security Hub.

Figure 1: Amazon GuardDuty

Amazon GuardDuty findings are the potential issues discovered in AWS resources, which give information about the resource affected, account, tags, network, instance ID, etc. But it would be very useful if we could get more insights like which particular task running on the EC2 instance did this and how we will get this quicker.


Amazon ECS Runtime Monitoring

Runtime Monitoring gives more insights into actual operating system activity so that we can pinpoint what is responsible for these security findings. Runtime monitoring gives insights about a process, a network connection, or a downloaded file. Once you enable runtime monitoring for Amazon ECS, we can gather more insights on the impact on task ID rather than insights resulting from the impact on instances. Also, it depicts the whether multiple containers are involved in the connectivity problem.

Once you enable Automated Agent configuration for the AWS Fargate task, GuardDuty will add a sidebar container for each container workload within that task to get visibility into the runtime behavior of containers.

Figure 2: Enable Runtime Monitoring and Automated Agent Configuration

Figure 3: Amazon ECS Account settings

When you create an Amazon ECS cluster to run your containerized application, the findings will be generated by runtime monitoring and visible in the Amazon GuardDuty console.

Figure 4: Amazon ECS Cluster runtime coverage

Now, Runtime Monitoring will analyze Amazon ECS and detect threats across compute options on AWS.

Amazon EKS Amazon ECS AWS Fargate Amazon EC2 (Preview)
Node-level Network (IP& DNS) Yes Yes Yes
Malware Detection (EBS) Yes Yes Yes
Control Plane Yes Yes Yes Yes
Container level Network (IP & DNS) Yes Yes Yes Yes
Container Specific threats Yes Yes Yes Yes
Process event threat detection Yes Yes Yes Yes

Table 1: Threat detection for Compute workloads


Expertly Migrate diverse Microsoft Workloads to AWS with CloudThat, Your Advanced AWS Migration Partner

  • Seamless Migration
  • Cost Optimization
  • Usage Efficiency
Talk to Expert

Malware Protection

Malware protection helps detect malware by scanning Amazon Elastic Block Store (Amazon EBS) volumes attached to the Amazon EC2 and container workload. Malware Protection provides malware scan options where we can include or exclude specific Amazon EC2 and container workloads. It also provides an option to retain the snapshots of Amazon EBS volumes. Only the snapshots are retained when malware is detected, and a finding is generated. You can perform either GuardDuty-initiated or on-demand malware scan.

Factor GuardDuty-initiated malware scan On-demand malware scan
How the scan gets invoked If the findings are generated, then GuardDuty automatically initiates an agentless malware scan on the Amazon EBS volume attached to the impacted resource. Even though GuardDuty findings are not generated for your resource, you can initiate an On-demand malware scan using instance ARN.
Configuration needed you must enable a GuardDuty-initiated malware scan for your account GuardDuty must be enabled in the account.
Wait time to initiate a new scan Automatically initiates only once every 24 hours. The new scan will start only after 1 hour.
free trial period once enabled, the availability of the 30-day no free trial period

Go to Malware Protection and enable GuardDuty initiated malware scan. For an On-demand malware scan, simply add the ARN of the instance you want to scan and start the scan.

Once an on-demand malware scan is completed, you will see the scan result is either clean or infected.



Amazon GuardDuty is a threat detection service that continuously analyses data generated from different sources and generates security findings. Runtime monitoring gives more context to the threat by analyzing impacted resources more granularly. Malware protection can scan Amazon EBS volumes for potential malware.

Enable smarter efficient workflows through Amazon MLOps Eco-system

  • Improve speed
  • Reduce time
  • Zero downtime
Get Started

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than 8 awards combined in 11 years. Recently, it was recognized as the ‘Think Big’ partner from AWS and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.




    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!