Installing the security agent manually - Amazon GuardDuty
Out of memory errorValidating GuardDuty security agent installation status

Installing the security agent manually

GuardDuty provides the following two methods to install the GuardDuty security agent on your Amazon EC2 instances. Before proceeding, make sure to follow the steps under Prerequisite – Creating Amazon VPC endpoint manually.

Choose a preferred access method to install the security agent in your Amazon EC2 resources.

  • Method 1 - Using AWS Systems Manager – This method requires your Amazon EC2 instance to be AWS Systems Manager managed.

  • Method 2 - Using Linux Package Managers – You can use this method whether or not your Amazon EC2 instances are AWS Systems Manager managed. Based on your OS distributions, you can choose an appropriate method to install either RPM scripts or Debian scripts. If you use Fedora platform, then you must use this method to install the agent.

To use this method, make sure that your Amazon EC2 instances are AWS Systems Manager managed and then install the agent.

AWS Systems Manager managed Amazon EC2 instance

Use the following steps to make your Amazon EC2 instances AWS Systems Manager managed.

  • AWS Systems Manager helps you manage your AWS applications and resources end-to-end and enable secure operations at scale.

    To manage your Amazon EC2 instances with AWS Systems Manager, see Setting up Systems Manager for Amazon EC2 instances in the AWS Systems Manager User Guide.

  • The following table shows the new GuardDuty managed AWS Systems Manager documents:

    Document name Document type Purpose

    AmazonGuardDuty-RuntimeMonitoringSsmPlugin

    Distributor

    To package the GuardDuty security agent.

    AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin

    Command

    To run installation/un-installation script to install the GuardDuty security agent.

    For more information about AWS Systems Manager, see Amazon EC2 Systems Manager Documents in the AWS Systems Manager User Guide.

    For Debian Servers

    The Amazon Machine Images (AMIs) for Debian Server provided by AWS require you to install the AWS Systems Manager agent (SSM agent). You will need to perform an additional step to install the SSM agent to make your Amazon EC2 Debian Server instances SSM managed. For information about steps that you need to take, see Manually installing SSM agent on Debian Server instances in the AWS Systems Manager User Guide.

To install the GuardDuty agent for Amazon EC2 instance by using AWS Systems Manager

  1. Open the AWS Systems Manager console at https://eusc-de-east-1.console.amazonaws-eusc.eu/systems-manager/.

  2. In the navigation pane, choose Documents

  3. In Owned by Amazon, choose AmazonGuardDuty-ConfigureRuntimeMonitoringSsmPlugin.

  4. Choose Run Command.

  5. Enter the following Run Command parameters

    • Action: Choose Install.

    • Installation Type: Choose Install or Uninstall.

    • Name: AmazonGuardDuty-RuntimeMonitoringSsmPlugin

    • Version: If this remains empty, you'll get latest version of the GuardDuty security agent. For more information about the release versions, GuardDuty security agent versions for Amazon EC2 instances.

  6. Select the targeted Amazon EC2 instance. You can select one or more Amazon EC2 instances. For more information, see AWS Systems Manager Running commands from the console in the AWS Systems Manager User Guide

  7. Validate if the GuardDuty agent installation is healthy. For more information, see Validating GuardDuty security agent installation status.

With this method, you can install the GuardDuty security agent by running RPM scripts or Debian scripts. Based on the operating systems, you can choose a preferred method:

  • Use RPM scripts to install the security agent on OS distributions AL2, AL2023, RedHat, CentOS, or Fedora.

  • Use Debian scripts to install the security agent on OS distributions Ubuntu or Debian. For information about supported Ubuntu and Debian OS distributions, see Validate architectural requirements.

Out of memory error

If you experience an out-of-memory error while installing or updating the GuardDuty security agent for Amazon EC2 manually, see Troubleshooting out of memory error.

Validating GuardDuty security agent installation status

After you have performed the steps to install the GuardDuty security agent, use the following steps to validate the status of the agent:

To validate if the GuardDuty security agent is healthy

  1. Connect with SSH from Linux or macOS.

  2. Run the following command to check the status of the GuardDuty security agent:

    sudo systemctl status amazon-guardduty-agent

If you want to view the security agent installation logs, they are available under /var/log/amzn-guardduty-agent/.

To view the logs, do sudo journalctl -u amazon-guardduty-agent.