Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: GuardDuty findings should be archived

Ensure compliance by archiving GuardDuty findings for improved security measures.

RuleGuardDuty findings should be archived
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Medium

GuardDuty Findings Archiving for NIST Cybersecurity Framework (CSF) v1

Archiving Amazon GuardDuty findings in alignment with the NIST Cybersecurity Framework (CSF) version 1 involves retaining records of security findings within the managed threat detection service provided by AWS. This retention supports the "Protect" function of the NIST CSF, enabling organizations to maintain an extensive record of detected activities for analysis and compliance auditing.

Troubleshooting Steps for GuardDuty Archive Issues

  • Verify GuardDuty is Enabled: Ensure GuardDuty is active and monitoring your AWS environment. Check the service's status in the AWS Management Console.
  • Inspect GuardDuty Settings: Review the current configuration settings for archiving within GuardDuty to ensure that it complies with the NIST CSF v1 requirements.
  • Storage Location: Confirm that findings are being sent to the correct S3 bucket or logging service for archiving and that the bucket policies do not prevent writing data from GuardDuty.
  • Permissions: Ensure that the necessary IAM roles and policies are in place to allow GuardDuty to archive findings.
  • Retention Policy: Make sure the retention policy for archived data meets NIST CSF standards.

Necessary Codes for Automating Archiving

AWS CLI commands and AWS Lambda functions can be used to automate the archiving process. The following is an example using AWS CLI:

aws guardduty create-filter \
  --detector-id <detector_id> \
  --name "ArchiveAllFindings" \
  --action ARCHIVE \
  --rank 1 \
  --finding-criteria '{"criterion": {"severity": {"gte": 0}}}'

Replace

<detector_id>
with your GuardDuty detector ID.

Step by Step Guide for Remediation

Step 1: Enable GuardDuty

If not already enabled, you can activate it using:

aws guardduty create-detector --enable

Step 2: Create S3 Bucket for Archived Findings

Create an S3 bucket to store archived findings, ensuring the bucket is secured according to best practices:

aws s3api create-bucket --bucket <bucket-name> --region <AWS-region>

Replace

<bucket-name>
and
<AWS-region>
with your preferred bucket name and AWS region respectively.

Step 3: Automation for Archiving

Set up an AWS Lambda function triggered by GuardDuty to send findings to the S3 bucket.

Step 4: Implement IAM Policies

Create the necessary IAM policies to allow GuardDuty to write to the S3 bucket and allow the Lambda function to execute its operations.

Step 5: Configure Retention Policy

Configure your S3 bucket to utilize lifecycle policies that meet the retention requirements of NIST CSF.

Step 6: Compliance Verification

Periodically check the S3 bucket to confirm that findings are being archived appropriately.

CLI Commands Required

For extensive GuardDuty operations and S3 bucket configuration, below are some CLI commands:

  • To list all GuardDuty detectors:
aws guardduty list-detectors
  • To update the S3 bucket policy:
aws s3api put-bucket-policy --bucket <bucket-name> --policy <policy>
  • To configure S3 lifecycle policies:
aws s3api put-bucket-lifecycle-configuration --bucket <bucket-name> --lifecycle-configuration file://lifecycle.json

Make sure to replace placeholder variables with actual values. The JSON files should be properly structured to meet AWS policy and lifecycle configuration requirements.

Following these steps and employing the prescribed CLI commands will help you align your GuardDuty findings archiving process with the NIST CSF v1, following compliance and enhancing your cybersecurity posture.

Is your System Free of Underlying Vulnerabilities?
Find Out Now