Rule: GuardDuty should be enabled
Ensure compliance by enabling GuardDuty to enhance security measures.
| Rule | GuardDuty should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
This rule ensures that GuardDuty, a threat detection service provided by Amazon Web Services (AWS), is enabled for NIST 800-171 Revision 2 compliance. NIST 800-171 is a set of guidelines established by the National Institute of Standards and Technology (NIST) that outlines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems.
When GuardDuty is enabled, it continuously monitors AWS accounts and detects potential malicious activity or unauthorized behavior. By enabling GuardDuty for NIST 800-171 Revision 2, organizations can enhance their security posture and comply with the required standards for protecting sensitive information.
Remediation Steps
To remediate this issue and enable GuardDuty for NIST 800-171 Revision 2 compliance, follow the steps below:
Step 1: Access AWS Management Console
- 1.Open a web browser and navigate to the AWS Management Console (console.aws.amazon.com).
Step 2: Navigate to GuardDuty in the AWS Console
- 1.In the AWS Management Console, type "GuardDuty" in the search bar at the top.
- 2.Click on the "GuardDuty" service when it appears in the search results.
Step 3: Enable GuardDuty
- 1.In the GuardDuty console, click on the "Get started" button to enable GuardDuty if it is not already enabled.
- 2.Choose the AWS Region where you want to enable GuardDuty (e.g., US East).
- 3.Click on the "Enable GuardDuty" button.
Step 4: Set Up Organizations Integration (Optional)
- 1.On the GuardDuty console, click on the "Settings" tab.
- 2.If your AWS account is part of an AWS Organization, click on the "Enable" button under the "GuardDuty Integration" section to enable Organizations integration.
- 3.Follow the prompts to complete the integration.
Note: Organizations integration allows you to enable GuardDuty centrally for all accounts within your organization, making it easier to manage and monitor security across multiple AWS accounts.
Step 5: Review and Tune GuardDuty Settings
- 1.Once GuardDuty is enabled, review the various settings and configure them according to your requirements.
- 2.Pay attention to the "Finding types" section, where you can choose which types of findings GuardDuty should detect.
- 3.Ensure that GuardDuty is configured to detect the specific findings related to NIST 800-171 Revision 2 compliance.
Step 6: Configure Notification and Automated Remediation
- 1.GuardDuty can send notifications for detected findings via Amazon SNS (Simple Notification Service) or through CloudWatch Events.
- 2.Configure notifications based on your preferred method to promptly receive alerts about potential security threats.
- 3.Additionally, consider setting up automated remediation actions based on specific findings to mitigate risks automatically.
Troubleshooting
In the process of enabling GuardDuty for NIST 800-171 Revision 2, common issues that may arise include:
1. Permission Errors
If you encounter permission errors while enabling GuardDuty, ensure that your AWS account has the necessary permissions. This can be resolved by verifying that the required IAM (Identity and Access Management) policies are in place.
2. Multiple AWS Accounts
If you have multiple AWS accounts and want to enable GuardDuty across all accounts, ensure that you have enabled GuardDuty at the organization level (if applicable). This way, you can centrally manage GuardDuty settings and receive findings from all linked accounts.
3. Configuring Incorrect Finding Types
Make sure you review and understand the various finding types that GuardDuty supports. Select the appropriate finding types related to NIST 800-171 Revision 2 compliance to ensure that GuardDuty detects the desired security events. Incorrectly configuring finding types may result in missed detections or excessive false positives.
If you encounter any other issues or need further assistance, refer to the AWS GuardDuty documentation or contact AWS Support for guidance.