Ensure that GuardDuty is enabled as per Audit and Accountability (AU) benchmarks.
Rule | GuardDuty should be enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description:
This rule requires enabling GuardDuty, a threat detection service provided by AWS, specifically for adhering to the compliance requirements defined by the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5.
Troubleshooting Steps:
If you encounter any issues while enabling GuardDuty in compliance with NIST 800-53 Revision 5, follow these troubleshooting steps:
Ensure correct AWS region: Check if you are in the correct AWS region where you want to enable GuardDuty. GuardDuty is region-specific, so it must be enabled in each desired AWS region independently.
Verify IAM permissions: Ensure that the AWS Identity and Access Management (IAM) user or role you are using to enable GuardDuty has the necessary permissions. The required permissions include:
guardduty:CreateDetector
- to create a GuardDuty detectorguardduty:EnableOrganizationAdminAccount
- to enable GuardDuty in the organization's AWS accounts, if applicableguardduty:CreatePublishingDestination
- to create publishing destinations for findingsguardduty:UpdateOrganizationConfiguration
- to manage AWS Organization configuration for GuardDuty, if applicableCheck GuardDuty status: Once GuardDuty is enabled, check the status of GuardDuty for NIST 800-53 Revision 5 compliance. The guardduty:Creating, guardduty:Enabled, and guardduty:Disabled states are possible.
aws guardduty list-detectors
to list the detectors and check the status.Necessary Codes:
No specific code examples are required for enabling GuardDuty for NIST 800-53 Revision 5 compliance. Enabling GuardDuty can be done through the AWS Management Console, AWS Command Line Interface (CLI), or programmatically using AWS Software Development Kits (SDKs).
Step-by-Step Guide for Remediation:
Follow these steps to enable GuardDuty for NIST 800-53 Revision 5 compliance:
Sign in to the AWS Management Console: Access the AWS Management Console using your account credentials.
Open GuardDuty: In the AWS Management Console, navigate to the GuardDuty service. You can find it under the "Security, Identity & Compliance" category or by searching for "GuardDuty" in the search bar.
Select the desired region: Ensure you are in the correct AWS region where you want to enable GuardDuty. If needed, switch to the desired region from the region selector in the AWS Management Console.
Create a detector: Click on the "Create detector" button to create a new GuardDuty detector. You can choose the existing master account or create a new one.
Enable GuardDuty: After creating the detector, click on the "Enable GuardDuty" button to enable GuardDuty for the selected region. Review the settings and click "Enable GuardDuty" again to confirm.
(Optional) Enable GuardDuty for the organization: If you want to enable GuardDuty for the entire AWS Organization, click on "Enable" next to "Enable GuardDuty for my organization" and follow the prompts.
Review status: Once GuardDuty is enabled, review the status and ensure it is in the enabled state for NIST 800-53 Revision 5 compliance. GuardDuty will start monitoring for threats based on its default setting and configuration.
Congratulations! You have successfully enabled GuardDuty for NIST 800-53 Revision 5 compliance. Remember to periodically review GuardDuty findings and take necessary actions to address any potential security threats.