Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enable GuardDuty Rule for Your Systems

Ensure GuardDuty is enabled for robust security compliance.

RuleGuardDuty should be enabled
FrameworkCISA-cyber-essentials
Severity
High

GuardDuty Enabled for CISA-Cyber-Essentials

Overview

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It's imperative for compliance with the CISA (Cybersecurity & Infrastructure Security Agency) Cyber Essentials that organizations implement monitoring tools to secure their IT environment against threats.

Enabling GuardDuty

Step-by-Step Guide

  1. 1.

    Access the GuardDuty Console:

    • Log in to the AWS Management Console.
    • Navigate to the Amazon GuardDuty console.
  2. 2.

    Activate GuardDuty:

    • If you haven’t used GuardDuty before, click on the "Get Started" button.
    • Follow the on-screen instructions to activate GuardDuty.
  3. 3.

    Set the Detector:

    • Amazon GuardDuty requires a ‘detector’ to be enabled in each region where you want monitoring.
    • From the GuardDuty dashboard, ensure you enable a detector for each region you operate in.
  4. 4.

    Configure Settings:

    • Set up notification frequency, data sources, and enable or disable specific types of threat detection.
  5. 5.

    Integrate with Other AWS Services:

    • For enhanced monitoring and response capabilities, integrate GuardDuty with Amazon CloudWatch, AWS Lambda, and AWS Security Hub.
  6. 6.

    Create Sample Findings (Optional):

    • If you need to test your setup, you can generate sample findings to ensure your notifications and remediations are working.

AWS CLI Commands

  • To enable a detector in a specific region using the AWS CLI:

    aws guardduty create-detector --enable --region your-region
    
  • To retrieve the list of detectors:

    aws guardduty list-detectors --region your-region
    

Troubleshooting

  • Issue: GuardDuty is not showing any findings.

    • Check: Verify your detector is enabled in the correct region.
    • Check: Ensure you have given GuardDuty the necessary permissions to access your logs and data.
  • Issue: GuardDuty sample findings are not being generated.

    • Action: Double-check your CLI command for errors.
    • Action: Make sure your IAM user has sufficient permissions to create sample findings.

Remediation and Best Practices

  • Automate GuardDuty Activation:

    • Use AWS CloudFormation templates or AWS Control Tower to automate GuardDuty activation across all accounts and regions.
  • Account Configuration:

    • Ensure that all AWS accounts within the organization have GuardDuty enabled.
  • Regular Audit:

    • Regularly audit the GuardDuty setup to ensure it’s active and properly configured.
  • Incident Response Plan:

    • Develop and practice an incident response plan for addressing alerts generated by GuardDuty.
  • Monitor Continuously:

    • Continuous monitoring is key. Integrate GuardDuty findings with SIEM or incident response tools used within your organization.
  • Training and Awareness:

    • Train your staff to understand and respond to GuardDuty findings appropriately.

By adhering to these steps and ensuring GuardDuty is properly configured and integrated, organizations will meet one of the key elements of the CISA Cyber Essentials, which is to “Protect Critical Assets and Applications”. This not only helps in maintaining compliance but also significantly boosts the security posture of the AWS environment, making the infrastructure much less vulnerable to cyber-attacks.

Is your System Free of Underlying Vulnerabilities?
Find Out Now