Cloud Defense Logo

Products

Solutions

Company

Rule: GuardDuty findings should be archived

This rule ensures that GuardDuty findings are properly archived for future reference and analysis.

RuleGuardDuty findings should be archived
FrameworkFedRAMP Moderate Revision 4
Severity
Medium

GuardDuty Findings Archive Policy for FedRAMP Moderate Revision 4

Overview

Under the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4, cloud service providers must implement specific security controls. One of these controls pertains to the archiving of security findings, such as those produced by Amazon GuardDuty. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. For compliance, findings from this service should be preserved in a secure and non-alterable format.

Archiving Process

Step 1: Enable GuardDuty

Ensure that Amazon GuardDuty is enabled in your AWS account. If not already done, enable GuardDuty from the AWS Management Console or using the AWS CLI:

aws guardduty create-detector --enable --region <region>

Step 2: Store Findings

GuardDuty findings must be exported and stored securely. The process typically involves several steps including exporting the findings, encrypting the data, and storing it in a compliant storage solution such as Amazon S3.

Exporting Findings

You can use the AWS CLI to export findings:

aws guardduty list-findings --detector-id <detector-id>

Encrypting Data

Use AWS Key Management Service to encrypt the exported findings:

aws kms encrypt --key-id <kms-key-id> --plaintext fileb://<findings-file>

Storing in S3

Upload the encrypted file to an Amazon S3 bucket with the appropriate permissions and lifecycle policies:

aws s3 cp <encrypted-findings-file> s3://<your-secure-bucket>/findings-archive/

Step 3: Set Retention Policies

FedRAMP compliance requires setting retention policies for archived data. Configure the S3 bucket lifecycle policy to retain these findings for the required duration:

aws s3api put-bucket-lifecycle-configuration --bucket <your-secure-bucket> --lifecycle-configuration file://lifecycle.json

The

lifecycle.json
should specify the retention period as per the compliance requirements.

Monitoring and Compliance Automation

Enable CloudWatch Alarms

Set up CloudWatch alarms to monitor GuardDuty and ensure it remains operational:

aws cloudwatch put-metric-alarm --alarm-name "GuardDutyFindingsDetected" --metric-name "FindingsDetected" --namespace "AWS/GuardDuty" --statistic Sum --period 300 --evaluation-periods 1 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --treat-missing-data missing

Enable AWS Config Rules

Implement AWS Config rules to automatically check the compliance of your resources:

aws configservice put-config-rule --config-rule file://guardduty-config-rule.json

Your

guardduty-config-rule.json
should define the required compliance checks for GuardDuty's setup and findings retention.

Remediation Steps

Address Non-compliance

Should a GuardDuty finding indicate non-compliance, perform the following:

  1. 1.
    Investigate the finding and identify the root cause.
  2. 2.
    Take corrective actions as per your cybersecurity incident response plan.
  3. 3.
    Document the incident, actions taken, and any lessons learned.

Regular Audits

Conduct regular audits to ensure that the archiving process continues to meet FedRAMP standards.

CLI Command Summary

These commands are examples of how to interact with various AWS Services for compliance with GuardDuty findings archiving:

  • $ aws guardduty create-detector --enable --region <region>
  • $ aws guardduty list-findings --detector-id <detector-id>
  • $ aws kms encrypt --key-id <kms-key-id> --plaintext fileb://<findings-file>
  • $ aws s3 cp <encrypted-findings-file> s3://<your-secure-bucket>/findings-archive/
  • $ aws s3api put-bucket-lifecycle-configuration --bucket <your-secure-bucket> --lifecycle-configuration file://lifecycle.json
  • $ aws cloudwatch put-metric-alarm --alarm-name "GuardDutyFindingsDetected" --metric-name "FindingsDetected" --namespace "AWS/GuardDuty" ...
  • $ aws configservice put-config-rule --config-rule file://guardduty-config-rule.json

Final Points

The policy for the archival of Amazon GuardDuty findings must not only be well-implemented but also continuously and effectively monitored for FedRAMP Moderate Revision 4 compliance. By following the above steps and commands, you can streamline the process of securing, archiving, and monitoring GuardDuty findings to maintain a robust security stance. Regularly reviewing and updating these practices will help to ensure ongoing adherence to FedRAMP requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now