Control: 11 GuardDuty Runtime Monitoring should be enabled
Description
This control checks whether Runtime Monitoring is enabled in Amazon GuardDuty. For a standalone account, the control fails if GuardDuty Runtime Monitoring is disabled for the account. In a multi-account environment, the control fails if GuardDuty Runtime Monitoring is disabled for the delegated GuardDuty administrator account and all member accounts.
In a multi-account environment, only the delegated GuardDuty administrator can enable or disable GuardDuty Runtime Monitoring for accounts in their organization. In addition, only the GuardDuty administrator can configure and manage the security agents that GuardDuty uses for runtime monitoring of AWS workloads and resources for accounts in the organization. GuardDuty member accounts can't enable, configure, or disable Runtime Monitoring for their own accounts.
GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats, such as Amazon EKS clusters and Amazon EC2 instances.
Remediation
For information about configuring and enabling GuardDuty Runtime Monitoring, see GuardDuty Runtime Monitoring and Enabling GuardDuty Runtime Monitoring in the Amazon GuardDuty User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_guardduty_11
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_guardduty_11 --share
SQL
This control uses a named query:
with runtime_monitoring as ( select arn from aws_guardduty_detector, jsonb_array_elements(features) as f where f ->> 'Name' = 'RUNTIME_MONITORING' and f ->> 'Status' = 'ENABLED')select d.arn as resource, case when m.arn is not null then 'ok' else 'alarm' end as status, case when m.arn is not null then title || ' has runtime monitoring enabled.' else title || ' has runtime monitoring disabled.' end as reason , region, account_idfrom aws_guardduty_detector as d left join runtime_monitoring as m on m.arn = d.arn