Rule: GuardDuty findings should be archived
This rule ensures that GuardDuty findings are properly archived for future reference and analysis.
| Rule | GuardDuty findings should be archived |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
GuardDuty Findings Archive Policy for FedRAMP Moderate Revision 4
Overview
Under the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4, cloud service providers must implement specific security controls. One of these controls pertains to the archiving of security findings, such as those produced by Amazon GuardDuty. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. For compliance, findings from this service should be preserved in a secure and non-alterable format.
Archiving Process
Step 1: Enable GuardDuty
Ensure that Amazon GuardDuty is enabled in your AWS account. If not already done, enable GuardDuty from the AWS Management Console or using the AWS CLI:
aws guardduty create-detector --enable --region <region>
Step 2: Store Findings
GuardDuty findings must be exported and stored securely. The process typically involves several steps including exporting the findings, encrypting the data, and storing it in a compliant storage solution such as Amazon S3.
Exporting Findings
You can use the AWS CLI to export findings:
aws guardduty list-findings --detector-id <detector-id>
Encrypting Data
Use AWS Key Management Service to encrypt the exported findings:
aws kms encrypt --key-id <kms-key-id> --plaintext fileb://<findings-file>
Storing in S3
Upload the encrypted file to an Amazon S3 bucket with the appropriate permissions and lifecycle policies:
aws s3 cp <encrypted-findings-file> s3://<your-secure-bucket>/findings-archive/
Step 3: Set Retention Policies
FedRAMP compliance requires setting retention policies for archived data. Configure the S3 bucket lifecycle policy to retain these findings for the required duration:
aws s3api put-bucket-lifecycle-configuration --bucket <your-secure-bucket> --lifecycle-configuration file://lifecycle.json
The
lifecycle.jsonMonitoring and Compliance Automation
Enable CloudWatch Alarms
Set up CloudWatch alarms to monitor GuardDuty and ensure it remains operational:
aws cloudwatch put-metric-alarm --alarm-name "GuardDutyFindingsDetected" --metric-name "FindingsDetected" --namespace "AWS/GuardDuty" --statistic Sum --period 300 --evaluation-periods 1 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --treat-missing-data missing
Enable AWS Config Rules
Implement AWS Config rules to automatically check the compliance of your resources:
aws configservice put-config-rule --config-rule file://guardduty-config-rule.json
Your
guardduty-config-rule.jsonRemediation Steps
Address Non-compliance
Should a GuardDuty finding indicate non-compliance, perform the following:
- 1.Investigate the finding and identify the root cause.
- 2.Take corrective actions as per your cybersecurity incident response plan.
- 3.Document the incident, actions taken, and any lessons learned.
Regular Audits
Conduct regular audits to ensure that the archiving process continues to meet FedRAMP standards.
CLI Command Summary
These commands are examples of how to interact with various AWS Services for compliance with GuardDuty findings archiving:
$ aws guardduty create-detector --enable --region <region>$ aws guardduty list-findings --detector-id <detector-id>$ aws kms encrypt --key-id <kms-key-id> --plaintext fileb://<findings-file>$ aws s3 cp <encrypted-findings-file> s3://<your-secure-bucket>/findings-archive/$ aws s3api put-bucket-lifecycle-configuration --bucket <your-secure-bucket> --lifecycle-configuration file://lifecycle.json$ aws cloudwatch put-metric-alarm --alarm-name "GuardDutyFindingsDetected" --metric-name "FindingsDetected" --namespace "AWS/GuardDuty" ...$ aws configservice put-config-rule --config-rule file://guardduty-config-rule.json
Final Points
The policy for the archival of Amazon GuardDuty findings must not only be well-implemented but also continuously and effectively monitored for FedRAMP Moderate Revision 4 compliance. By following the above steps and commands, you can streamline the process of securing, archiving, and monitoring GuardDuty findings to maintain a robust security stance. Regularly reviewing and updating these practices will help to ensure ongoing adherence to FedRAMP requirements.