GuardDuty for EKS

Overview

GuardDuty provides threat detection for EKS workloads by analyzing Kubernetes audit logs and cluster-level events.

Enable EKS Protection

# Enable GuardDuty for EKS
aws guardduty enable-organization-configuration \
  --feature-names EKS_PROTECTION \
  --region us-west-2

Finding Types

Finding Type	Severity	Description
EKSClusterAnonymousAccess	High	Cluster accessed anonymously
EKSClusterPrivilegedContainer	Critical	Privileged container detected
EKSPodSensitiveMountAccess	High	Sensitive mount access
EKSWorkloadsSensitiveContainer	Medium	Sensitive data access

View Findings

# List EKS findings
aws guardduty list-findings \
  --detector-id abc123 \
  --filter-criteria '{"severity":{"eq":["HIGH","CRITICAL"]}}'
 
# Get finding details
aws guardduty get-findings \
  --detector-id abc123 \
  --finding-ids f-xxxxx

Response Automation

# Example: EventBridge rule for high severity
{
  "source": ["aws.guardduty"],
  "detail": {
    "type": ["EKSClusterPrivilegedContainer"]
  },
  "target": ["sns-topic-arn"]
}

cloudnative wiki

Explorer

Amazon GuardDuty for EKS

GuardDuty for EKS

Overview

Enable EKS Protection

Finding Types

View Findings

Response Automation

References

Graph View

Table of Contents

Backlinks