Rule: GuardDuty Findings Should Be Archived
Ensure compliance by archiving GuardDuty findings to meet Incident Response benchmarks.
| Rule | GuardDuty findings should be archived |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description
The rule requires that GuardDuty findings, an AWS service that detects threats to your AWS environment, should be archived specifically for FedRAMP Low Revision 4 compliance. This is to ensure that any potential security incidents or threats are properly documented and retained for future reference and analysis, adhering to the security requirements set by FedRAMP Low Revision 4.
Remediation Steps
To remediate this rule and ensure compliance with FedRAMP Low Revision 4, follow the steps below:
Step 1: Enable GuardDuty in your AWS Account
If you have not already enabled GuardDuty, follow these steps to enable it:
- 1.Log in to your AWS Management Console.
- 2.Open the GuardDuty service from the dashboard or services menu.
- 3.Click on the "Enable GuardDuty" button.
- 4.Select the AWS region where you want GuardDuty to be active and click "Enable GuardDuty."
Step 2: Configure GuardDuty Findings Archive
To configure GuardDuty to archive findings for FedRAMP Low Revision 4 compliance, perform the following steps:
- 1.Navigate to the GuardDuty console in the AWS Management Console.
- 2.Click on "Settings" in the sidebar.
- 3.Scroll down to the "Findings export" section.
- 4.Click on the "Edit" button.
- 5.Enable the "Archive GuardDuty findings to an S3 bucket" option.
- 6.Choose an existing S3 bucket or create a new one to store the findings.
- 7.Confirm that the selected bucket meets the FedRAMP Low Revision 4 compliance requirements.
Step 3: Ensure Access Controls for S3 Bucket
To ensure the proper access controls for the S3 bucket where the GuardDuty findings are archived, take the following steps:
- 1.Open the Amazon S3 console in the AWS Management Console.
- 2.Locate the S3 bucket you selected or created for storing the GuardDuty findings.
- 3.Click on the bucket name to access its properties.
- 4.Click on the "Permissions" tab.
- 5.Review and configure the bucket policies and access control list (ACL) to adhere to FedRAMP Low Revision 4 requirements.
- 6.Follow the principle of least privilege to grant access only to authorized personnel.
Step 4: Monitoring and Verification
Once the configuration and access controls are in place, it is important to monitor and verify the proper archiving of GuardDuty findings. Perform the following checks:
- 1.Regularly review the GuardDuty findings in the console to ensure they reflect the current security status.
- 2.Verify that new findings are being archived to the designated S3 bucket.
- 3.Monitor S3 bucket access logs and audit trails for any unauthorized activities.
- 4.Periodically review archived findings for analysis and potential security enhancements.
Troubleshooting
In case you encounter any issues while implementing this rule, consider the following troubleshooting steps:
- 1.Ensure the GuardDuty service is enabled and properly configured.
- 2.Double-check that the specified S3 bucket for findings export exists and is accessible.
- 3.Verify the IAM policies associated with the S3 bucket provide the necessary permissions for GuardDuty to export findings.
- 4.Review AWS CloudTrail logs for any relevant events or errors related to GuardDuty configuration.
- 5.Check the AWS documentation and forums for any known issues or updates related to GuardDuty and findings archival.
If the troubleshooting steps do not resolve the issue, consider reaching out to AWS Support for further assistance and guidance.
Conclusion
By following the above steps, you can ensure that GuardDuty findings are properly archived for FedRAMP Low Revision 4 compliance. Regular monitoring and verification of findings will help to maintain a secure AWS environment and enhance the overall security posture.