Rule: GuardDuty findings should be archived

This rule ensures archiving of GuardDuty findings for security

Rule	GuardDuty findings should be archived
Framework	NIST 800-53 Revision 4
Severity	✔ Medium

GuardDuty Findings Archival for NIST 800-53 Revision 4

Rule Description:

To comply with NIST 800-53 Revision 4, it is important to archive the findings generated by AWS GuardDuty, a threat detection service. Archiving the findings enables organizations to maintain a historical record of security incidents and comply with regulatory requirements.

Troubleshooting Steps:

1.
Check if GuardDuty is enabled on your AWS account.

2.
Ensure that you have the necessary permissions to configure GuardDuty and access the associated S3 bucket for archival.

3.
Verify that an S3 bucket is available for storing the archived GuardDuty findings. If not, create a new S3 bucket for this purpose.

Code (AWS CLI commands):

Step 1: Enable GuardDuty (if not already enabled)

$ aws guardduty create-detector --enable

Step 2: Create an S3 bucket for archival

$ aws s3api create-bucket --bucket <bucket-name> --region <region>

Step 3: Configure GuardDuty to archive findings to S3 bucket

$ aws guardduty update-configuration --detector-id <detector-id> --finding-publishing-frequency BATCH --data-sources.s3Logs.enabled true --data-sources.s3Logs.s3BucketArn arn:aws:s3:::<bucket-name>

Note: Replace

<bucket-name>

with the name of the S3 bucket created in step 2, and

<region>

with the desired AWS region. Also, make sure to replace

<detector-id>

with the ID of your GuardDuty detector.

Remediation Steps:

To archive GuardDuty findings for NIST 800-53 Revision 4 compliance, follow the steps below:

1.
Enable GuardDuty:
- Execute the AWS CLI command mentioned in Step 1 to enable GuardDuty on your AWS account.

2.
Create an S3 bucket:
- Execute the AWS CLI command mentioned in Step 2 to create an S3 bucket for storing the archived findings.
- Note the name of the bucket for further steps.

3.
Configure GuardDuty to archive findings:
- Execute the AWS CLI command mentioned in Step 3, replacing
  <bucket-name>
  and
  <detector-id>
  with the appropriate values.
- This command ensures that findings are published to the specified S3 bucket with the desired frequency.

4.
Verification:
- Ensure that GuardDuty findings are being successfully archived by monitoring the S3 bucket for new findings files.
- Review the contents of the findings files to verify that important security incidents are being captured.

By following these steps, you can archive GuardDuty findings and comply with the NIST 800-53 Revision 4 requirement.

Rule: GuardDuty findings should be archived

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Code (AWS CLI commands):

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: Enable GuardDuty (if not already enabled)

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Create an S3 bucket for archival

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 3: Configure GuardDuty to archive findings to S3 bucket

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps:

Is your System Free of Underlying Vulnerabilities? Find Out Now