Ensure compliance by archiving GuardDuty findings for improved security measures.
Rule | GuardDuty findings should be archived |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Medium |
GuardDuty Findings Archiving for NIST Cybersecurity Framework (CSF) v1
Archiving Amazon GuardDuty findings in alignment with the NIST Cybersecurity Framework (CSF) version 1 involves retaining records of security findings within the managed threat detection service provided by AWS. This retention supports the "Protect" function of the NIST CSF, enabling organizations to maintain an extensive record of detected activities for analysis and compliance auditing.
Troubleshooting Steps for GuardDuty Archive Issues
Necessary Codes for Automating Archiving
AWS CLI commands and AWS Lambda functions can be used to automate the archiving process. The following is an example using AWS CLI:
aws guardduty create-filter \ --detector-id <detector_id> \ --name "ArchiveAllFindings" \ --action ARCHIVE \ --rank 1 \ --finding-criteria '{"criterion": {"severity": {"gte": 0}}}'
Replace
<detector_id>
with your GuardDuty detector ID.Step by Step Guide for Remediation
Step 1: Enable GuardDuty
If not already enabled, you can activate it using:
aws guardduty create-detector --enable
Step 2: Create S3 Bucket for Archived Findings
Create an S3 bucket to store archived findings, ensuring the bucket is secured according to best practices:
aws s3api create-bucket --bucket <bucket-name> --region <AWS-region>
Replace
<bucket-name>
and <AWS-region>
with your preferred bucket name and AWS region respectively.Step 3: Automation for Archiving
Set up an AWS Lambda function triggered by GuardDuty to send findings to the S3 bucket.
Step 4: Implement IAM Policies
Create the necessary IAM policies to allow GuardDuty to write to the S3 bucket and allow the Lambda function to execute its operations.
Step 5: Configure Retention Policy
Configure your S3 bucket to utilize lifecycle policies that meet the retention requirements of NIST CSF.
Step 6: Compliance Verification
Periodically check the S3 bucket to confirm that findings are being archived appropriately.
CLI Commands Required
For extensive GuardDuty operations and S3 bucket configuration, below are some CLI commands:
aws guardduty list-detectors
aws s3api put-bucket-policy --bucket <bucket-name> --policy <policy>
aws s3api put-bucket-lifecycle-configuration --bucket <bucket-name> --lifecycle-configuration file://lifecycle.json
Make sure to replace placeholder variables with actual values. The JSON files should be properly structured to meet AWS policy and lifecycle configuration requirements.
Following these steps and employing the prescribed CLI commands will help you align your GuardDuty findings archiving process with the NIST CSF v1, following compliance and enhancing your cybersecurity posture.