Enable GuardDuty Rule for Configuration Management
This rule ensures that GuardDuty is enabled to meet the Configuration Management benchmark standards.
| Rule | GuardDuty should be enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
GuardDuty Compliance with FedRAMP Low Revision 4
Overview
Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads. For compliance with the Federal Risk and Authorization Management Program (FedRAMP) Low Revision 4, enabling AWS GuardDuty is vital for maintaining the necessary security controls and monitoring that are expected within a Low impact level cloud deployment.
Enabling Amazon GuardDuty for FedRAMP Compliance
Step-by-Step Guide
Step 1: Sign in to AWS Management Console
Access the AWS Management Console and use your credentials to sign in.
Step 2: Navigate to GuardDuty
In the Services search bar, type "GuardDuty" and select it from the list of services.
Step 3: Set Up GuardDuty
Once inside the GuardDuty dashboard, click on "Get Started" if you are enabling GuardDuty for the first time, which will direct you to the setup page.
Step 4: Enable GuardDuty
Click on “Enable GuardDuty.” This will automatically enable the service and commence monitoring for any potential threats.
Step 5: Configure Settings as per FedRAMP Requirements
Ensure that the necessary configurations align with FedRAMP Low Revision 4 requirements. This may involve setting the threat detection frequency, integrating with AWS CloudTrail, and ensuring that findings are appropriately logged and retained.
Step 6: Review & Confirm
Review the settings and changes to ensure they meet FedRAMP Low standards. Once confirmed, save the configuration.
Automation using AWS CLI
To automate the process of enabling and configuring GuardDuty, AWS CLI can be used.
Prerequisites
- AWS CLI must be installed and configured with the appropriate permissions.
Enable GuardDuty
aws guardduty create-detector --enable \ --finding-publishing-frequency 'FIFTEEN_MINUTES' \ --data-sources '{"S3Logs": {"Enable": true}}' \ --region <your-region> \ --profile <your-aws-cli-profile>
Replace
<your-region><your-aws-cli-profile>List Detectors
To list all GuardDuty detectors:
aws guardduty list-detectors --region <your-region> --profile <your-aws-cli-profile>
Troubleshooting
Ensure that you have the necessary permissions to enable and configure AWS GuardDuty. If you encounter access issues, check your IAM policies and roles.
If GuardDuty does not activate or there are issues with monitoring, verify that:
- The AWS account has GuardDuty enabled in the desired region.
- AWS CloudTrail is properly configured and integrated.
- The AWS account falls under the FedRAMP Low impact level.
For further assistance, you can consult the AWS GuardDuty documentation or the AWS support team.
Remediation
If an issue with AWS GuardDuty compliance is detected, remediation steps include:
- 1.Reviewing the GuardDuty findings for details on the potential threat or misconfiguration.
- 2.Adjusting the configurations to meet the required FedRAMP Low controls and standards.
- 3.Consulting FedRAMP documentation to ensure all services within the AWS account meet the necessary compliance requirements.
By diligently following these guidelines, AWS environments can maintain compliance with FedRAMP Low Revision 4 standards, leveraging GuardDuty to enhance the organization’s cloud security posture.