Rule: GuardDuty findings should be archived
This rule requires archiving GuardDuty findings for compliance.
| Rule | GuardDuty findings should be archived |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
This rule mandates that all GuardDuty findings should be archived to align with the requirements set forth by the National Institute of Standards and Technology (NIST) 800-53 Revision 5. By archiving findings, organizations can ensure compliance with security guidelines and maintain an audit trail for future investigations or reference purposes.
Troubleshooting Steps:
If you encounter any issues while implementing this rule, consider the following troubleshooting steps:
- 1.Finding archival failure: If the findings are not getting archived as expected, review the configuration settings and ensure that the archival process is properly set up.
- 2.Incorrect archival bucket: Verify that the correct S3 bucket is specified for storing the archived findings.
- 3.Permission issues: Check the permissions associated with the IAM role used for archival. Ensure that it has the necessary permissions to write to the designated S3 bucket.
Relevant Code:
There is no specific code associated with this rule; however, it requires configuration changes in the AWS Management Console or by using the AWS Command Line Interface (CLI).
Remediation Steps:
Follow these steps to remediate the rule and archive GuardDuty findings for NIST 800-53 Revision 5 compliance:
- 1.
AWS Management Console:
- Sign in to the AWS Management Console.
- Open the GuardDuty service from the list of available services.
- In the navigation pane, click on Settings.
- Under Data privacy, locate the Archive findings option.
- Enable the archival feature by selecting the appropriate S3 bucket where findings should be archived.
- Click Save to finalize the changes.
- 2.
AWS CLI:
- Install and configure the AWS CLI if you haven't done so already.
- Open a command prompt or terminal window.
- Run the following command to enable findings archival, replacing
with the name of the desired S3 bucket:<BUCKET_NAME>aws guardduty update-organization-configuration --finding-publishing-frequency BATCH --auto-enable --data-sources.s3Logs.status ENABLED --data-sources.s3Logs.s3BucketName <BUCKET_NAME> - Confirm the changes by running the command:
This command should return the updated organization configuration details, including the S3 bucket for finding archival.aws guardduty get-organization-configuration
Conclusion:
By following the steps outlined above, you can ensure that all GuardDuty findings are properly archived to comply with the NIST 800-53 Revision 5 requirements. Archiving findings provides a centralized location for storing and analyzing security events, aiding in post-incident analysis and compliance audits.