Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: GuardDuty should be enabled

Ensure that GuardDuty is enabled as per Audit and Accountability (AU) benchmarks.

RuleGuardDuty should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

This rule requires enabling GuardDuty, a threat detection service provided by AWS, specifically for adhering to the compliance requirements defined by the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5.

Troubleshooting Steps:

If you encounter any issues while enabling GuardDuty in compliance with NIST 800-53 Revision 5, follow these troubleshooting steps:

  1. 1.

    Ensure correct AWS region: Check if you are in the correct AWS region where you want to enable GuardDuty. GuardDuty is region-specific, so it must be enabled in each desired AWS region independently.

  2. 2.

    Verify IAM permissions: Ensure that the AWS Identity and Access Management (IAM) user or role you are using to enable GuardDuty has the necessary permissions. The required permissions include:

    • guardduty:CreateDetector
      - to create a GuardDuty detector
    • guardduty:EnableOrganizationAdminAccount
      - to enable GuardDuty in the organization's AWS accounts, if applicable
    • guardduty:CreatePublishingDestination
      - to create publishing destinations for findings
    • guardduty:UpdateOrganizationConfiguration
      - to manage AWS Organization configuration for GuardDuty, if applicable
  3. 3.

    Check GuardDuty status: Once GuardDuty is enabled, check the status of GuardDuty for NIST 800-53 Revision 5 compliance. The guardduty:Creating, guardduty:Enabled, and guardduty:Disabled states are possible.

    • Use the AWS Command Line Interface (CLI) command:
      aws guardduty list-detectors
      to list the detectors and check the status.

Necessary Codes:

No specific code examples are required for enabling GuardDuty for NIST 800-53 Revision 5 compliance. Enabling GuardDuty can be done through the AWS Management Console, AWS Command Line Interface (CLI), or programmatically using AWS Software Development Kits (SDKs).

Step-by-Step Guide for Remediation:

Follow these steps to enable GuardDuty for NIST 800-53 Revision 5 compliance:

  1. 1.

    Sign in to the AWS Management Console: Access the AWS Management Console using your account credentials.

  2. 2.

    Open GuardDuty: In the AWS Management Console, navigate to the GuardDuty service. You can find it under the "Security, Identity & Compliance" category or by searching for "GuardDuty" in the search bar.

  3. 3.

    Select the desired region: Ensure you are in the correct AWS region where you want to enable GuardDuty. If needed, switch to the desired region from the region selector in the AWS Management Console.

  4. 4.

    Create a detector: Click on the "Create detector" button to create a new GuardDuty detector. You can choose the existing master account or create a new one.

  5. 5.

    Enable GuardDuty: After creating the detector, click on the "Enable GuardDuty" button to enable GuardDuty for the selected region. Review the settings and click "Enable GuardDuty" again to confirm.

  6. 6.

    (Optional) Enable GuardDuty for the organization: If you want to enable GuardDuty for the entire AWS Organization, click on "Enable" next to "Enable GuardDuty for my organization" and follow the prompts.

  7. 7.

    Review status: Once GuardDuty is enabled, review the status and ensure it is in the enabled state for NIST 800-53 Revision 5 compliance. GuardDuty will start monitoring for threats based on its default setting and configuration.

Congratulations! You have successfully enabled GuardDuty for NIST 800-53 Revision 5 compliance. Remember to periodically review GuardDuty findings and take necessary actions to address any potential security threats.

Is your System Free of Underlying Vulnerabilities?
Find Out Now