AWS-SCS-C02 & AWS CERTIFICATION | Runtime Protection (Agent-based vs. Agentless) - AWS Certified Security

3.3.2. Runtime Protection (Agent-based vs. Agentless)

First Principle: Runtime protection ensures security for active compute environments by continuously monitoring and defending against threats, choosing between agent-based (granular control) and agentless (lower overhead) approaches.

Once applications are deployed and running, they are vulnerable to runtime threats. Runtime protection involves continuously monitoring and defending against these threats within your active compute environments (EC2 instances, containers).

Key Concepts of Runtime Protection:

Agent-based Protection:
- Concept: Involves installing a software agent directly on the compute resource (e.g., EC2 instance, host running containers).
- Benefits: Provides deep visibility into the host's operating system, processes, and network activity. Offers granular control and rapid response capabilities.
- Considerations: Requires installation and management of agents, potential performance overhead, compatibility issues.
- AWS Example: AWS Systems Manager Agent (SSM Agent) (for management, can facilitate security agents), third-party Endpoint Detection and Response (EDR) or anti-malware agents.
Agentless Protection:
- Concept: Leverages cloud provider's native capabilities or network-based monitoring without installing agents on individual compute resources.
- Benefits: Lower operational overhead, no agent installation/management, no impact on host performance.
- Considerations: May offer less granular visibility into the host's internal processes compared to agents.
- AWS Examples:
  - Amazon GuardDuty Runtime Monitoring: Monitors the runtime behavior of your EC2 instances and ECS workloads for potential threats. Provides agentless threat detection for EC2 instances and ECS tasks by analyzing network activity, CPU activity, and file access.
  - VPC Flow Logs: Network traffic monitoring.
  - AWS CloudTrail: API activity monitoring.
  - AWS Network Firewall: Network-level intrusion prevention.

Scenario: You need to protect your production EC2 instances and ECS containers from runtime threats (e.g., unauthorized process execution, suspicious network activity). You prefer a solution that minimizes operational overhead for agent management but still provides robust detection.

Reflection Question: How does choosing between agent-based (granular control, higher overhead) and agentless (lower overhead, potentially less granular) runtime protection (e.g., Amazon GuardDuty Runtime Monitoring for agentless) fundamentally ensure security for active compute environments by continuously monitoring and defending against threats?