Enable GuardDuty Rule
This rule focuses on enabling GuardDuty to enhance security measures and compliance within the system.
| Rule | GuardDuty should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
GuardDuty is a threat detection service offered by AWS that continuously monitors your AWS accounts for malicious activities and unauthorized access. Enabling GuardDuty for NIST 800-171 Revision 2 helps you comply with the security requirements outlined in this compliance framework.
Remediation Steps:
Step 1: Enable GuardDuty
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the GuardDuty service.
Note: If you have not enabled GuardDuty before, you may need to follow the on-screen prompts to set it up.
- 3.
Click on "Enable GuardDuty" to enable it for your AWS account.
Step 2: Configure GuardDuty for NIST 800-171 Revision 2
- 1.
In the GuardDuty console, click on "Findings" in the left-hand menu.
- 2.
Click on "Create filter" to set up a filter for NIST 800-171 Revision 2.
Note: Filters help you focus on specific types of findings based on severity, resource type, or other properties.
- 3.
In the "Create filter" dialog, configure the following settings:
Filter name: Provide a descriptive name for the filter (e.g., NIST 800-171).
Filter type: Select "Custom"
Filter criteria: Set the criteria to meet the requirements of NIST 800-171 Revision 2. This may include specific keywords, patterns, or attributes associated with the NIST controls.
Note: Consult the NIST 800-171 Revision 2 documentation to identify the specific controls and requirements you need to address.
- 4.
Click on "Save filter" to save the filter configuration.
Step 3: Configure GuardDuty Actions
- 1.
In the GuardDuty console, click on "Findings" in the left-hand menu.
- 2.
Click on "Actions" and then "Manage actions" to define the response actions for GuardDuty findings.
Note: Response actions are triggered based on the severity and category of findings detected by GuardDuty.
- 3.
Configure the appropriate response actions for NIST 800-171 Revision 2 findings. This may include sending notifications, creating CloudWatch Events, or triggering Lambda functions to remediate specific issues.
Note: Ensure that the response actions align with the requirements and recommendations of NIST 800-171 Revision 2.
Step 4: Monitor GuardDuty Findings
- 1.
In the GuardDuty console, click on "Findings" in the left-hand menu.
- 2.
Review the findings generated by GuardDuty regularly to identify any potential security risks or unauthorized activities.
Note: GuardDuty provides a dashboard, real-time alerts, and detailed reports to help you analyze and respond to findings effectively.
- 3.
Investigate any findings related to NIST 800-171 Revision 2 and take appropriate actions to mitigate the risks or address non-compliance.
Troubleshooting Steps:
If there are any issues or unexpected behavior with GuardDuty or the configuration for NIST 800-171 Revision 2, follow these troubleshooting steps:
- 1.Verify that GuardDuty is enabled for your AWS account and properly configured.
- 2.Check the filter configuration for NIST 800-171 Revision 2 to ensure it aligns with the specific requirements and controls.
- 3.Review the GuardDuty actions and make sure they are correctly set up to respond to findings related to NIST 800-171 Revision 2.
- 4.Confirm that you have access to the appropriate resources, services, and permissions required for GuardDuty to function effectively.
- 5.If the troubleshooting steps above do not resolve the issue, consult the AWS documentation or contact AWS Support for further assistance.
Relevant Codes (if applicable):
There are no specific codes associated with enabling GuardDuty for NIST 800-171 Revision 2. The configuration is done through the GuardDuty console.
References:
- AWS GuardDuty Documentation: https://docs.aws.amazon.com/guardduty/
- NIST Special Publication 800-171 Revision 2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final