Rule: GuardDuty Should Be Enabled
This rule emphasizes the importance of enabling GuardDuty for enhanced cybersecurity.
| Rule | GuardDuty should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule Description
The rule requires enabling GuardDuty, a threat detection service provided by Amazon Web Services (AWS), specifically for Federal Financial Institutions Examination Council (FFIEC) entities. Enabling GuardDuty will enhance the security posture of FFIEC institutions by detecting and alerting on potential security threats within the AWS environment.
Troubleshooting Steps (if any)
In case there are issues while enabling GuardDuty for FFIEC, follow the troubleshooting steps below to address and resolve any potential issues:
- 1.
Ensure AWS Account Permissions: Check if your AWS account has the necessary permissions to enable GuardDuty. Make sure the account is part of the necessary IAM groups or has the required IAM policies attached to it.
- 2.
Verify Region Compatibility: Ensure that GuardDuty is available in the AWS region where your FFIEC infrastructure is hosted. GuardDuty is available in multiple AWS regions, but it's always recommended to verify its compatibility with your specific region.
- 3.
Check Account Status: Confirm that your AWS account is active and in good standing. GuardDuty may not be available for inactive accounts or those with compliance issues.
- 4.
Review Service Limits: GuardDuty has service limits based on the type of AWS account. Check if your account has exceeded any of the GuardDuty service limits. If you encounter any limits, consider requesting an increase from AWS Support.
- 5.
Verify VPC Flow Logs: GuardDuty uses VPC Flow Logs for traffic analysis and threat detection. Ensure that VPC Flow Logs are enabled for the appropriate VPCs, subnets, or network interfaces within your AWS environment. Without proper VPC Flow Logs, GuardDuty may not function effectively.
- 6.
Review IAM Role Permission: Confirm that the IAM role assigned to your GuardDuty instance has appropriate permissions to access necessary AWS services, including CloudTrail, CloudWatch, and VPC Flow Logs. Inadequate permissions could lead to issues with activating or utilizing GuardDuty.
- 7.
Evaluate GuardDuty Integration: In case you have integrated GuardDuty with third-party security solutions, confirm that the integration is properly configured and the required settings are in place.
- 8.
Consult AWS Support: If the above troubleshooting steps do not resolve the issue, consider reaching out to AWS Support for further assistance and guidance.
Necessary Codes (if any)
There are no specific codes provided for enabling GuardDuty for FFIEC. Configuration and activation are performed through the AWS Management Console or AWS Command Line Interface (CLI). However, you may need to execute some CLI commands for troubleshooting or customization purposes, as outlined below.
CLI Command for Enabling GuardDuty
To enable GuardDuty in your AWS environment, the following AWS CLI command can be used:
aws guardduty create-detector --enable --finding-publishing-frequency FINDING_FREQUENCY
- Replace FINDING_FREQUENCY with the desired frequency at which GuardDuty should publish new findings. Valid options are
,FIFTEEN_MINUTES
, andONE_HOUR
.SIX_HOURS
Please note that you need to have the AWS CLI configured and appropriate IAM permissions to execute the above command.
Step-by-Step Guide for Remediation
Follow the step-by-step guide below to enable GuardDuty for FFIEC entities in your AWS environment:
- 1.
Log in to the AWS Management Console using your AWS account credentials.
- 2.
Navigate to the GuardDuty service by either searching for "GuardDuty" in the AWS Management Console search bar or locating it under the "Security, Identity & Compliance" section.
- 3.
On the GuardDuty dashboard, click on "Get started" if you are enabling GuardDuty for the first time. Otherwise, proceed to the next step.
- 4.
In the GuardDuty console, click on the "Enable GuardDuty" button to start the activation process.
- 5.
Select the AWS region where your FFIEC infrastructure is located from the dropdown menu.
- 6.
Choose the desired frequency at which GuardDuty should publish new findings. This depends on your requirements, but it's typically recommended to select "FIFTEEN_MINUTES" for more real-time detection.
- 7.
Click on the "Enable GuardDuty" button to complete the activation process.
- 8.
GuardDuty is now enabled for FFIEC entities in your AWS environment. You will start receiving threat detection findings for potential security issues within your account.
- 9.
Optionally, you can customize and fine-tune GuardDuty settings based on your specific requirements. This includes adjusting the S3 data event threshold, disabling or enabling specific finding types, or integrating GuardDuty with other security solutions.
- 10.
Regularly monitor the GuardDuty findings and take necessary actions to remediate any identified security threats or vulnerabilities.
Conclusion
Enabling GuardDuty for FFIEC institutions enhances the security posture of AWS environments by providing automated threat detection. Follow the troubleshooting steps if any issues arise during the enabling process, and use the provided CLI commands for customization or troubleshooting purposes. The step-by-step guide ensures a smooth and effective activation of GuardDuty within your AWS environment for FFIEC compliance.