Enable GuardDuty Rule for Risk Assessment (RA)
This rule emphasizes the necessity of enabling GuardDuty to ensure high security compliance in Risk Assessment (RA).
| Rule | GuardDuty should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule/Policy: GuardDuty Enablement for FedRAMP Moderate Revision 4
Description:
This rule dictates that GuardDuty must be enabled for systems that fall under the FedRAMP (Federal Risk and Authorization Management Program) Moderate baseline, specifically adhering to Revision 4 requirements. GuardDuty is an intelligent threat detection service offered by AWS that helps in safeguarding AWS accounts, detecting suspicious activities, and protecting against known and unknown threats.
Troubleshooting Steps:
In case GuardDuty is not already enabled for systems falling under the FedRAMP Moderate Revision 4 baseline, the following troubleshooting steps can be followed:
- 1.
Verify the System Baseline: Ensure that you are working with a system that falls under the FedRAMP Moderate baseline as defined in Revision 4. Review the system documentation and requirements to confirm the system's classification.
- 2.
Check GuardDuty Service Status: Verify if GuardDuty is enabled for your AWS account by navigating to the AWS Management Console or by using AWS CLI (Command Line Interface) commands.
AWS Management Console:
- Sign in to the AWS Management Console.
- Navigate to the GuardDuty service.
- Check if GuardDuty is enabled for the account associated with the system.
AWS CLI Command:
aws guardduty list-detectors - 3.
Enable GuardDuty: If GuardDuty is not already enabled, follow the below steps to enable it.
AWS Management Console:
- Navigate to the GuardDuty service.
- Click on the "Get Started" button.
- Follow the steps provided to enable GuardDuty.
AWS CLI Command:
aws guardduty create-detector --enableNote: Ensure that you have the necessary permissions to enable GuardDuty for the AWS account.
- 4.
Configure GuardDuty Settings: After enabling GuardDuty for the account, review and configure the necessary settings according to the FedRAMP Moderate Revision 4 requirements. This includes setting up appropriate detection thresholds, defining notification channels, and configuring appropriate response actions.
Refer to the GuardDuty documentation for detailed steps on configuring GuardDuty settings.
Remediation Steps:
To enable GuardDuty for systems falling under the FedRAMP Moderate Revision 4 baseline, follow the below steps:
- 1.
Determine the AWS account to enable GuardDuty for: Identify the AWS account associated with the system that requires GuardDuty enabling.
- 2.
Enable GuardDuty: Use the following AWS CLI command to enable GuardDuty for the AWS account.
aws guardduty create-detector --enableNote: Ensure that you have the necessary permissions to enable GuardDuty for the AWS account.
- 3.
Configure GuardDuty: After enabling GuardDuty, configure the necessary settings to comply with the FedRAMP Moderate Revision 4 requirements. This involves setting up appropriate detection thresholds, defining notification channels, and configuring response actions.
Refer to the GuardDuty documentation for detailed steps on configuring GuardDuty settings.
- 4.
Monitor and Respond to GuardDuty Findings: Regularly review the GuardDuty findings and take necessary actions based on the severity of the findings. Implement the appropriate remediation steps recommended by GuardDuty to mitigate potential threats or vulnerabilities.
Refer to the GuardDuty documentation for guidance on monitoring and responding to GuardDuty findings.
By following these steps, you will successfully enable GuardDuty for systems falling under the FedRAMP Moderate Revision 4 baseline, helping to enhance the security posture and threat detection capabilities of the AWS environment.