Enable GuardDuty Rule
Ensure compliance by enabling GuardDuty rule to meet Configuration Management benchmarks.
| Rule | GuardDuty should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Enabling GuardDuty for FedRAMP Moderate Revision 4
Amazon GuardDuty is a managed threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed findings for visibility and compliance. To comply with FedRAMP Moderate Revision 4, AWS resources must adhere to specific security controls and configurations, including the monitoring of account activity and anomaly detection.
Rule Details
GuardDuty must be enabled to monitor and report on potential security incidents within your AWS environment. It addresses various security controls required by FedRAMP, such as incident response, anomaly detection, and malicious activity monitoring.
Troubleshooting Steps
If GuardDuty is not enabled, or issues arise post-activation, here are some troubleshooting steps:
Verify GuardDuty Service Status
- 1.Log in to the GuardDuty console to ensure the service is active.
- 2.Check for any service notifications or warnings indicating functional issues.
Permissions Issues
- 1.Confirm that the IAM role or user enabling GuardDuty has the necessary permissions.
- 2.Permissions required include
andguardduty:*
.iam:CreateServiceLinkedRole
Network Connectivity
- 1.Verify that your VPC (Virtual Private Cloud) and associated networking are configured correctly.
- 2.Ensure that there are no VPC Service Control Policies (SCPs) that might be blocking GuardDuty.
Necessary Codes
When it comes to enabling GuardDuty and automating its setup, using AWS CLI commands or AWS SDK scripts would be relevant. Here's an example using AWS CLI:
Enable GuardDuty
To enable GuardDuty via AWS CLI, enter the following command:
aws guardduty create-detector --enable
This command will return a
DetectorIdStep by Step Guide for Remediation
Step 1: Enable GuardDuty through AWS Console
- 1.Navigate to the GuardDuty console.
- 2.Click on "Get Started" if you’re enabling it for the first time.
- 3.Follow the console workflow to activate GuardDuty.
Step 2: Enable via AWS CLI
- 1.Open your terminal or command prompt.
- 2.Input the command provided above to enable GuardDuty.
Step 3: Configure GuardDuty (Optional)
- Set up notification channels for alerts:
- Use Amazon SNS for real-time notifications.
- Create custom threat lists and trusted IP lists.
- Integrate with other AWS services for deeper analysis (AWS CloudTrail, AWS Security Hub, etc.).
Step 4: Review Findings
- Regularly check the GuardDuty findings for any unusual activity.
- Investigate and address findings based on the severity and type of threat detected.
CLI Commands Required
List Detectors
In case you need to list existing detectors:
aws guardduty list-detectors
Disable GuardDuty
To disable GuardDuty, if necessary, for a specific detector:
aws guardduty delete-detector --detector-id <DetectorId>
Replace
<DetectorId>Update Detector Settings
Update the GuardDuty detector's settings, if needed:
aws guardduty update-detector --detector-id <DetectorId> --finding-publishing-frequency <Value>
The
finding-publishing-frequencyFIFTEEN_MINUTESONE_HOURSIX_HOURSThis rule is established to ensure that your AWS environments align with FedRAMP's stringent security protocols, thus maintaining compliance and reducing risks associated with cyber threats. Employing these practices will not just help in adherence to regulatory standards but can also improve overall security posture, which can be a beneficial aspect for SEO due to the increased trust and reliability of your services.