The Amazon GuardDuty EC2 Runtime Monitoring eBPF security agent now supports Amazon Elastic Compute Cloud (Amazon EC2) workloads that use the Ubuntu (Ubuntu 20.04, Ubuntu 22.04) and Debian (Debian 11 and Debian 12) operating system. If you use GuardDuty EC2 Runtime Monitoring with automated agent management then GuardDuty will automatically upgrade the security agent for your Amazon EC2 workloads. If you are not using automated agent management, you are responsible for upgrading the agent manually. You can view the current agent version running in your Amazon EC2 instances in the EC2 runtime coverage page of the GuardDuty console. If you are not yet using GuardDuty EC2 Runtime Monitoring, you can enable the feature for a 30-day free trial with a few steps.
GuardDuty Runtime Monitoring helps you identify and respond to potential threats, including instances or self-managed containers in your AWS environment associated with suspicious network activity, such as querying IP addresses associated with cryptocurrency-related activity, or connections to a Tor network as a Tor relay. Threats to compute workloads often involve remote code execution that leads to the download and execution of malware. GuardDuty Runtime Monitoring provides visibility into suspicious commands that involve malicious file downloads and execution across each step, providing earlier discovery of threats during initial compromise—before they become business-impacting events.
Source:: Amazon AWS