Rule: GuardDuty should be enabled
This rule states that GuardDuty should be enabled to enhance security measures.
| Rule | GuardDuty should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description: GuardDuty should be enabled for NIST 800-53 Revision 5
Description:
This rule ensures that GuardDuty, a threat detection service provided by AWS, is enabled with the appropriate settings to comply with the security controls outlined in the NIST (National Institute of Standards and Technology) 800-53 Revision 5 framework. Enabling GuardDuty helps organizations identify potential security threats and vulnerabilities within their AWS environment.
Troubleshooting Steps:
- 1.
Verify GuardDuty Status: Check if GuardDuty is enabled within your AWS account by following these steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- Select your desired region.
- If GuardDuty is not listed, it means it is not enabled for the selected region. Proceed to enable GuardDuty by following the next steps.
- 2.
Enable GuardDuty: To enable GuardDuty, execute the following steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- Click on the "Get started" button.
- Choose the AWS region where you want GuardDuty to be enabled.
- Review the settings and click on "Enable GuardDuty" to start the setup process.
- 3.
Review Settings: Once GuardDuty is enabled, review the settings to ensure compliance with NIST 800-53 Revision 5.
Code:
There is no specific code required for enabling GuardDuty or configuring it to comply with NIST 800-53 Revision 5. However, you can use AWS CLI (Command Line Interface) commands for enabling GuardDuty as follows:
aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES --enable --region <your_region>
Replace
<your_region>Remediation Steps:
Follow these steps to remediate any non-compliance related to the GuardDuty configuration for NIST 800-53 Revision 5:
- 1.
Enable GuardDuty: If GuardDuty is not already enabled, execute the following steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- Click on the "Get started" button.
- Choose the AWS region where you want GuardDuty to be enabled.
- Review the settings and click on "Enable GuardDuty" to start the setup process.
- 2.
Configure Finding Publishing Frequency: Adjust the frequency of finding publishing as specified in the NIST 800-53 Revision 5 controls. The recommended frequency is 15 minutes. To configure finding publishing frequency, follow these steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- Select the appropriate region where GuardDuty is enabled.
- Click on the "Settings" tab.
- Under "Finding publication", select "15 minutes" from the drop-down menu.
- 3.
Review Security Findings: Regularly review the security findings generated by GuardDuty and take necessary actions to remediate any identified threats or vulnerabilities.
By following these steps, GuardDuty will be enabled and configured to comply with the NIST 800-53 Revision 5 controls, helping you enhance the security posture of your AWS environment.