Enable GuardDuty Rule for Incident Response (IR)
Implement the rule to enable GuardDuty for better incident response.
| Rule | GuardDuty should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
GuardDuty Compliance with FedRAMP Moderate Revision 4
Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads. In environments where compliance with Federal standards is required, such as FedRAMP Moderate Revision 4, enabling and properly configuring GuardDuty is critical.
Overview of the FedRAMP Moderate Baseline Requirement
The Federal Risk and Authorization Management Program (FedRAMP) establishes a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The Moderate Impact Level is applicable to systems where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency's operations, assets, or individuals.
Specific Requirements of FedRAMP for GuardDuty
For compliance with FedRAMP Moderate, GuardDuty should be enabled across all accounts and configured to:
- Continuously monitor for unusual or unauthorized activities and conditions.
- Automatically report findings to administrators using AWS security and notification services.
- Integrate with other AWS services for a holistic security posture.
Enabling and Configuring GuardDuty for FedRAMP Compliance
Step 1: Enable GuardDuty
To enable Amazon GuardDuty:
- 1.Sign in to the AWS Management Console.
- 2.Navigate to Amazon GuardDuty.
- 3.If GuardDuty is not yet enabled, click on "Get Started" and follow the on-screen instructions.
- 4.Confirm that GuardDuty is now active and monitoring your AWS environment.
Step 2: Integrate with AWS Security Services
Integrate GuardDuty with services such as Amazon Simple Notification Service (Amazon SNS), AWS CloudWatch Events, or AWS Lambda for automated real-time alerts and responses:
# Example AWS CLI command to create an SNS topic for GuardDuty findings aws sns create-topic --name GuardDutyFindings # Subscribe to the SNS topic using your preferred endpoint (e.g., email, SMS, etc.) aws sns subscribe --topic-arn <Your-SNS-Topic-ARN> --protocol <Protocol> --notification-endpoint <Endpoint>
Step 3: Establish Detective Controls
Establish detective controls that include enabling GuardDuty in all regions where AWS resources are deployed.
# Example AWS CLI command to list all regions aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text # Ensure GuardDuty is enabled in each listed region using AWS CLI for region in $(aws ec2 describe-regions --output text | cut -f4) do aws guardduty create-detector --enable --region $region done
Step 4: Continuous Monitoring and Feedback Loop
Implement continuous monitoring by regularly reviewing GuardDuty findings and adjusting configurations as necessary:
- 1.Use the GuardDuty console to review findings.
- 2.Analyze and prioritize actions based on findings severity.
- 3.Document and respond to findings according to established incident response protocols.
Step 5: Maintain Compliance Documentation
Maintain documentation on how GuardDuty is used within your organization to meet FedRAMP Moderate requirements. Include configuration details, monitoring strategies, and incident response procedures.
Testing and Validation
To ensure GuardDuty is functioning correctly and aligned with FedRAMP standards:
- Perform regular checks of GuardDuty settings and alerts.
- Validate that findings are being reported appropriately.
- Run simulated events to test incident response and notification processes.
Remediation
In the case of non-compliance or identified issues with GuardDuty:
- Review and adjust the configuration of GuardDuty according to best practices.
- Ensure that all regions and accounts are covered and monitored by GuardDuty.
- Update the security policies and response plans based on GuardDuty findings trends.
By following the steps detailed above, organizations can ensure that Amazon GuardDuty is aligned with FedRAMP Moderate Revision 4, contributing to a robust and compliant security posture for cloud environments.