Rule: GuardDuty should be enabled
This rule mandates the enabling of GuardDuty for enhanced security measures.
| Rule | GuardDuty should be enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
Enabling GuardDuty for FedRAMP Low Revision 4 ensures enhanced security and threat detection capabilities for the cloud environment. GuardDuty is a managed threat detection service offered by AWS, designed to continuously monitor and analyze the behavior of AWS accounts in order to identify potential security threats, suspicious activities, and unauthorized access.
By adhering to this rule, organizations can ensure compliance with FedRAMP (Federal Risk and Authorization Management Program) requirements and improve their overall security posture by proactively identifying and mitigating potential security risks.
Troubleshooting Steps (if any):
In case there are issues during the setup or operation of GuardDuty for FedRAMP Low Revision 4, the following troubleshooting steps can be performed:
- 1.
Review AWS documentation: Check the official AWS documentation on GuardDuty for guidance on setup, configuration, and troubleshooting specific to FedRAMP Low Revision 4.
- 2.
Verify GuardDuty configuration: Ensure that the GuardDuty configuration is aligned with the specific requirements of FedRAMP Low Revision 4. Validate the regions where GuardDuty is enabled, thresholds for severity levels, and the frequency of findings.
- 3.
Check IAM roles and permissions: Verify that the appropriate IAM roles and permissions are assigned to the GuardDuty service and associated resources to access relevant logs and data for analysis.
- 4.
Review GuardDuty findings: Regularly review the GuardDuty findings and investigate any alerts or suspicious activities flagged by the service. Investigate and remediate those findings following the recommended remediation steps provided by AWS.
- 5.
Enable logging and notifications: Ensure that GuardDuty logging and notifications are properly configured. Review CloudWatch Logs and SNS (Simple Notification Service) configurations to receive timely alerts and notifications for any identified threats or suspicious activities.
- 6.
Seek AWS Support: If troubleshooting steps do not resolve the issue, contact AWS Support for further assistance and guidance tailored to the specific scenario.
Necessary Codes (if any):
There are no specific codes required to enable GuardDuty for FedRAMP Low Revision 4.
Step-by-step Remediation Guide:
The following steps guide you through enabling GuardDuty for FedRAMP Low Revision 4:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the GuardDuty service by selecting it from the list of available services.
- 3.
Click on the "Get started" button if it's your first time enabling GuardDuty, or click on "Add Member" if you're adding GuardDuty to an existing account.
- 4.
Select the regions where you want GuardDuty to operate. Ensure that the selected regions align with the requirements of FedRAMP Low Revision 4.
- 5.
Configure the organization ID if you are using AWS Organizations for account management. This allows you to enable GuardDuty across multiple accounts.
- 6.
Set the finding threshold for severity levels based on your organization's risk tolerance and security requirements.
- 7.
Choose whether you want to enable email notifications for GuardDuty findings and select the desired SNS topic to receive the alerts.
- 8.
Review the configuration settings and click on "Enable GuardDuty" to enable the service for your account.
- 9.
Validate the successful enabling of GuardDuty by checking the status and overall health of the service in the GuardDuty console.
- 10.
Regularly review GuardDuty findings and take appropriate action according to the recommended remediation steps provided by AWS.
Remember to regularly monitor the GuardDuty service, review findings, and take necessary actions to ensure continuous security monitoring and threat detection as part of maintaining compliance with FedRAMP Low Revision 4.