Rule: GuardDuty findings should be archived
This rule specifies that GuardDuty findings must be properly archived for compliance
| Rule | GuardDuty findings should be archived |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule: Archive GuardDuty Findings for FedRAMP Moderate Revision 4
Description:
As per the FedRAMP Moderate Revision 4 compliance requirement, all GuardDuty findings must be archived to ensure auditability, historical analysis, and compliance with federal regulations. By archiving GuardDuty findings, organizations can retain and review the information related to potential threats or security incidents.
Troubleshooting Steps:
There are no specific troubleshooting steps for this rule/policy. However, if you encounter any issues during the archival process, it is recommended to consult the AWS documentation or contact your organization's AWS support team for assistance.
Necessary Codes:
No specific codes are required for this rule/policy. However, organizations can leverage AWS services and features such as Amazon S3, AWS Lambda, and AWS CloudFormation to automate the archival process and maintain compliance with FedRAMP requirements.
Step-by-Step Guide for Archiving GuardDuty Findings:
Step 1: Set Up an S3 Bucket for Archiving
- 1.Log in to the AWS Management Console.
- 2.Open the Amazon S3 service.
- 3.Create a new S3 bucket dedicated to storing GuardDuty findings.
- 4.Configure the bucket's access control settings and permissions to ensure appropriate access for authorized personnel only. Follow AWS best practices for secure bucket configuration.
Step 2: Enable GuardDuty Findings to be Archived
- 1.Open the Amazon GuardDuty service in the AWS Management Console.
- 2.Select the target GuardDuty detector.
- 3.Click on "Settings" in the left navigation pane.
- 4.Enable the "Archive Findings" option.
- 5.Specify the previously created S3 bucket as the destination for the archived findings.
- 6.Configure any additional settings as per organizational requirements, such as encryption at rest for archived findings.
Step 3: Set Up Automation Using AWS Lambda (Optional)
- 1.Open the AWS Lambda service in the AWS Management Console.
- 2.Create a new Lambda function using the desired runtime environment (e.g., Python, Node.js).
- 3.Define the function's execution role with appropriate permissions to access GuardDuty findings and write data to the S3 bucket.
- 4.Implement the necessary code logic within the Lambda function to automate the archival process. This may include periodic triggering, filtering, or formatting of the GuardDuty findings before archiving them to the S3 bucket. Refer to AWS documentation for sample code and best practices.
- 5.Save and publish the Lambda function.
Step 4: Schedule Lambda Function Execution (Optional)
- 1.Open the AWS CloudWatch service in the AWS Management Console.
- 2.Create a new scheduled rule to trigger the Lambda function.
- 3.Specify the desired schedule frequency for executing the Lambda function (e.g., daily, weekly).
- 4.Configure any additional settings such as error handling and logging as per organizational requirements.
- 5.Save the CloudWatch rule.
Conclusion:
By following the above step-by-step guide, organizations can ensure the required archival of GuardDuty findings. This helps to meet the FedRAMP Moderate Revision 4 compliance requirements, maintaining a secure and auditable environment. Regularly review the archived findings for analysis and take necessary actions to mitigate any identified threats or security incidents.