Rule for GuardDuty Findings Archiving

Follow this rule to ensure proper archiving of GuardDuty findings.

Rule	GuardDuty findings should be archived
Framework	FedRAMP Moderate Revision 4
Severity	✔ Medium

Rule/Policy: GuardDuty findings archiving for FedRAMP Moderate Revision 4

Description:

This rule ensures that findings from AWS GuardDuty, a threat detection service, are properly archived in compliance with the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 requirements. By archiving the GuardDuty findings, the organization can maintain a comprehensive record of security events and demonstrate adherence to the FedRAMP compliance standards.

Troubleshooting Steps:

If the GuardDuty findings are not getting properly archived, the following troubleshooting steps can be performed:

1.
Verify GuardDuty service activation: Ensure that GuardDuty is activated in the AWS account where the findings need to be archived. If not, activate GuardDuty by following these steps:
- Open the AWS Management Console.
- Go to the GuardDuty service.
- Click on "Enable GuardDuty" and follow the on-screen instructions to activate the service.

2.

Check IAM permissions: Confirm that the IAM (Identity and Access Management) role used for archiving the GuardDuty findings has the necessary permissions. The role should have appropriate permissions to access, encrypt, and store the findings securely in a compliant manner.

3.

Verify S3 bucket configuration: Ensure that the S3 bucket used for archiving the GuardDuty findings is properly configured. The bucket should have the appropriate access control settings, encryption configured, and versioning enabled to maintain a historical record of the findings.

4.

Check CloudTrail logging: Validate that CloudTrail logging is enabled in the AWS account. CloudTrail records and logs API activity, which is essential for monitoring and auditing GuardDuty findings archiving.

Necessary Codes:

No specific codes are required for this rule. However, configuring and maintaining the following AWS services in compliance with FedRAMP Moderate Revision 4 may be necessary:

AWS GuardDuty: Activate and configure GuardDuty in the AWS account.
IAM (Identity and Access Management): Define and assign the necessary IAM roles and permissions for accessing and archiving GuardDuty findings.
S3 (Simple Storage Service): Configure an S3 bucket with appropriate access control settings, encryption, and versioning.
AWS CloudTrail: Enable logging to record and log API activities associated with GuardDuty findings archiving.

Step-by-Step Guide for Remediation:

To adhere to the GuardDuty findings archiving requirements for FedRAMP Moderate Revision 4, follow these step-by-step instructions:

1.
Activate GuardDuty:
- Open the AWS Management Console.
- Navigate to the GuardDuty service.
- Click on "Enable GuardDuty" and follow the on-screen instructions to activate the service.

2.
Configure IAM roles and permissions:
- Open the IAM service in the AWS Management Console.
- Create an IAM role or update an existing role with the necessary permissions for accessing and archiving GuardDuty findings. Ensure the role has permissions to access GuardDuty, read findings, and store them securely in an S3 bucket.
- Attach the IAM role to the relevant users, groups, or services to allow them to perform archiving operations.

3.
Configure an S3 bucket for findings archiving:
- Open the S3 service in the AWS Management Console.
- Create a new S3 bucket or choose an existing one to store the GuardDuty findings.
- Configure the bucket's access control settings to restrict public access and provide appropriate access to the required IAM roles.
- Enable encryption on the bucket to ensure the data is encrypted at rest.
- Enable versioning on the bucket to maintain a historical record of the findings.

4.
Enable CloudTrail logging:
- Open the CloudTrail service in the AWS Management Console.
- Ensure that CloudTrail logging is enabled for the AWS account.
- Verify that the generated CloudTrail logs capture the API activities related to GuardDuty findings and archiving.

5.
Periodically review and validate:
- Regularly review the archived GuardDuty findings in the designated S3 bucket to ensure they are getting stored properly.
- Perform tests and checks to validate that the archiving process is functioning as expected.
- Monitor CloudTrail logs and other relevant logs to ensure all relevant activities are recorded.

By following these steps, the GuardDuty findings will be archived in compliance with the FedRAMP Moderate Revision 4 requirements, providing a secure and auditable record of security events.

Rule for GuardDuty Findings Archiving

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Description:

Troubleshooting Steps:

Necessary Codes:

Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now