Rule: GuardDuty findings should be archived
This rule focuses on archiving GuardDuty findings to ensure compliance and security measures are in place.
| Rule | GuardDuty findings should be archived |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that GuardDuty findings are properly archived for compliance with the NIST Cybersecurity Framework (CSF) v1. GuardDuty is a threat detection service provided by AWS that continuously monitors and analyzes the AWS account's security posture. Archiving GuardDuty findings is crucial for incident response, audit, and compliance purposes.
Enabling this rule will help organizations adhere to the NIST CSF v1 requirements, specifically in the areas of Detect (DE) and Respond (RS), by ensuring that all relevant GuardDuty findings are securely stored for future reference and analysis.
Troubleshooting Steps (if applicable):
If there are issues with archiving GuardDuty findings, follow these steps to troubleshoot:
- 1.
Verify IAM Permissions: Ensure that the IAM role/user associated with the GuardDuty service has sufficient permissions to store findings in the desired archive location. Verify the IAM policies attached to the role/user include the necessary permissions for PutObject actions on the chosen storage solution (e.g., Amazon S3).
- 2.
Check Bucket/Storage Settings: Ensure that the storage solution (e.g., S3 bucket) where the GuardDuty findings are archived is properly configured. Check the bucket's permissions, versioning settings, and any relevant lifecycle policies. Make sure that the bucket's access settings align with your organization's security requirements.
- 3.
Review CloudTrail Logs: If CloudTrail is enabled, review the logs to identify any errors or anomalies related to archiving GuardDuty findings. Cross-reference the logs with the identified timestamps for any potential issues with API calls, permissions, or storage configurations.
- 4.
Verify EventBridge/CloudWatch Event Rule: If you have set up an EventBridge/CloudWatch Event Rule to trigger the archival process, ensure that the rule is properly configured. Review the rule's targets, permissions, and conditions to validate if it's correctly triggering the archival process.
- 5.
Check GuardDuty Configuration: Double-check the GuardDuty configuration to ensure that the appropriate settings are enabled for finding storage and archival. Ensure that the findings are not being suppressed, and the archival options are correctly set.
- 6.
Review Service Limits: In case of large numbers of findings or excessive storage requirements, check if you have exceeded any service limits within GuardDuty or the chosen storage solution. Increase the limits if needed or evaluate potential workarounds such as periodic findings exports.
Necessary Codes (if applicable):
No specific code snippets are required for this rule, as it primarily involves the configuration of GuardDuty, IAM permissions, and storage configurations. However, you may need to use CLI or SDK commands to manage the storage solution (e.g., S3) where the GuardDuty findings are archived.
Step-by-Step Guide for Remediation:
Follow these steps to enable the archival of GuardDuty findings for compliance with the NIST CSF v1:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the GuardDuty service.
- 3.
Ensure that GuardDuty is enabled in the desired AWS region.
- 4.
Configure Finding Storage Settings: a. Under the GuardDuty service, select the "Settings" tab. b. Locate the "Finding storage settings" section. c. Choose the appropriate storage solution, such as "S3 Bucket," for storing the findings. d. Provide the necessary details for the chosen storage solution, such as the bucket name, prefix, and optional encryption settings. e. Save the configuration.
- 5.
Adjust Archival Frequency (optional): a. If desired, configure the archival frequency based on your organization's requirements. b. Under the "Finding storage settings" section, adjust the "Archive findings every" option to the desired interval. c. Save the configuration.
- 6.
Verify IAM Permissions: a. Ensure that the IAM role or user associated with GuardDuty has the necessary permissions to write findings to the chosen storage solution. b. Review the IAM policies attached to the role or user and ensure they include the required permissions for the storage solution. For example, "s3:PutObject" actions for an S3 bucket. c. Modify the IAM policies if needed to grant the appropriate permissions.
- 7.
Test Archival Process (optional): a. Generate sample findings in the GuardDuty service using test scenarios or by triggering predefined security events. b. Monitor if the findings are automatically archived to the configured storage solution. c. Verify the completeness and correctness of the archived findings.
- 8.
Validate Compliance: a. Regularly review the archived GuardDuty findings to assess compliance with the NIST CSF v1 requirements. b. Use the findings for incident response, analysis, and other compliance-related activities.
Following these steps ensures that GuardDuty findings are properly archived as per the NIST CSF v1 requirements, providing a foundation for effective security monitoring, incident response, and regulatory compliance.