Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enable GuardDuty Rule

Ensure compliance by enabling GuardDuty rule in Assessment, Authorization, And Monitoring (CA) benchmark.

RuleGuardDuty should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

GuardDuty, a threat detection service offered by Amazon Web Services (AWS), should be enabled to comply with the security requirements outlined in NIST 800-53 Revision 5. GuardDuty continuously monitors AWS accounts for suspicious activity, unauthorized access, and potential threats, providing alerts and actionable insights to improve the security posture of AWS resources.

Troubleshooting Steps (if necessary):

If GuardDuty is not enabled or encounters any issues, follow these troubleshooting steps:

  2. 1.

    Check IAM Permissions: Ensure that the appropriate IAM permissions are in place for GuardDuty. Verify that the necessary IAM roles and policies are correctly configured to enable GuardDuty in your AWS account.

  4. 2.

    Check Service Limit: Confirm that the GuardDuty service limit has not been reached. AWS imposes certain limits on the number of GuardDuty detectors, findings, and concurrent API requests. You may need to request a service limit increase if the current limits are insufficient for your requirements.

  6. 3.

    Verify AWS Region: Double-check if GuardDuty is enabled in the correct AWS region. GuardDuty operates on a per-region basis, so it must be enabled in each desired region independently.

  8. 4.

    Review AWS CloudTrail Settings: Ensure that AWS CloudTrail, the service that records AWS API calls and logs, is enabled in your AWS account. GuardDuty requires CloudTrail to be enabled to fetch necessary logs and perform threat analysis.

  10. 5.

    Check VPC Flow Logs: Make sure that VPC Flow Logs are enabled for the relevant VPCs. GuardDuty utilizes VPC Flow Logs to analyze network traffic and identify potential threats.

  12. 6.

    Review GuardDuty Settings: Verify the GuardDuty settings such as email notifications, enabled security profiles, and published findings. Ensure that these settings align with your organization's requirements and expectations.

  14. 7.

    Test Connectivity: Check the connectivity between GuardDuty and its external integrations, such as Security Information and Event Management (SIEM) systems or third-party applications. Validate that data ingestion and alerting mechanisms are functioning as expected.

  16. 8.

    Contact AWS Support: If troubleshooting steps do not resolve the issue, it is recommended to contact AWS Support for further assistance. Provide them with any relevant error messages or details to expedite the troubleshooting process.

Necessary Codes (if applicable):

No specific codes are required for this rule. The configuration and enabling of GuardDuty can be done through the AWS Management Console, AWS CLI(Command Line Interface), or using SDKs (Software Development Kits) and APIs (Application Programming Interfaces).

Step-by-Step Guide for Enabling GuardDuty:

  2. 1.

    Login to the AWS Management Console (https://console.aws.amazon.com/) using appropriate credentials.

  4. 2.

    Navigate to the GuardDuty service by searching for "GuardDuty" in the AWS Management Console search bar.

  6. 3.

    On the GuardDuty dashboard, click on "Enable GuardDuty" if GuardDuty is not already enabled.

  8. 4.

    Select the AWS region where you want to enable GuardDuty from the dropdown menu.

  10. 5.

    Configure the following settings according to your requirements:

    • Detector Name: Give a meaningful name to identify the detector in your account.
    • Account Details: Choose whether this detector should monitor the entire AWS account or specific organizational units (OUs).
    • Data Sources: Choose the data sources to enable for GuardDuty, such as CloudTrail and VPC Flow Logs.
  12. 6.

    Click on "Enable GuardDuty" to initiate the enabling process.

  14. 7.

    GuardDuty will start analyzing the selected data sources, and findings will be generated based on detected threats and anomalies. View and act upon the generated findings as necessary.

  16. 8.

    Configure email notifications (if required) to receive alerts for high severity findings or specific types of threats.

  18. 9.

    Continuously monitor GuardDuty findings and take appropriate actions to remediate any identified risks or investigate further.

Note: Enabling and configuring GuardDuty in multiple AWS regions requires following the above steps for each desired region independently.

By following these steps, you can enable GuardDuty and comply with the NIST 800-53 Revision 5 security requirements. GuardDuty helps improve threat detection and enhances the security posture of your AWS resources.

Is your System Free of Underlying Vulnerabilities?
Find Out Now