Rule: GuardDuty findings should be archived

Ensure compliance by archiving GuardDuty findings to mitigate risks.

Rule	GuardDuty findings should be archived
Framework	SOC 2
Severity	✔ Medium

Rule/Policy: GuardDuty Findings Archiving for SOC 2 Compliance

Description:

This rule states that GuardDuty findings should be appropriately archived for compliance with SOC 2 requirements. GuardDuty is a threat detection and monitoring service provided by AWS, which can identify potentially malicious and unauthorized activities within an AWS environment. SOC 2 is a widely recognized security standard that focuses on the controls and processes related to data privacy and security.

Archiving GuardDuty findings is crucial for SOC 2 compliance as it ensures that historical security events are retained for audit and analysis purposes. By storing and analyzing the findings, organizations can gain insights into potential security threats, enhance incident response capabilities, and demonstrate adherence to SOC 2 requirements.

Troubleshooting Steps:

If there are any issues with archiving GuardDuty findings for SOC 2 compliance, the following troubleshooting steps can be taken:

1.

Verify GuardDuty findings: Ensure that GuardDuty is properly configured and generating accurate findings. Validate that GuardDuty is enabled for the desired AWS accounts and regions.

2.

Check CloudWatch Events: GuardDuty findings can be automatically forwarded to CloudWatch Events for further processing. Check if the necessary CloudWatch Event rules and targets are correctly set up.

3.

Evaluate IAM permissions: Ensure that the IAM roles and policies associated with GuardDuty have sufficient permissions to publish findings to CloudWatch Events, S3, or any other designated destination for archiving.

4.

Review S3 bucket settings: If S3 is used as the archiving destination, verify the bucket settings and permissions. Ensure that the bucket is properly configured to receive and store GuardDuty findings securely.

5.

Monitor archiving process: Regularly monitor the archiving process to ensure that it is functioning correctly. Check for any errors or failures in forwarding or storing GuardDuty findings.

Necessary Codes:

No specific codes are required for this rule/policy. However, IAM policies and S3 bucket configurations might need to be adjusted based on the specific archiving destination and permissions requirements.

Step-by-step Guide for Remediation:

To ensure GuardDuty findings are properly archived for SOC 2 compliance, follow these step-by-step guidelines:

1.
Enable GuardDuty: Ensure that GuardDuty is enabled for the desired AWS accounts and regions. This can be done through the AWS Management Console or by using AWS CLI with the command:

aws guardduty create-detector --enable

1.
Configure CloudWatch Events: Set up CloudWatch Events rules to forward GuardDuty findings to the desired destination for archiving. This can be done through the AWS Management Console or by using AWS CLI with the command:

aws events put-rule --name GuardDutyFindingsRule --event-pattern "{\"source\":[\"aws.guardduty\"]}"

1.

Create a Lambda Function (optional): If custom processing or analysis is required before archiving, you can create a Lambda function and configure it as a target for the CloudWatch Events rule. This function can transform or filter GuardDuty findings as per your specific requirements.

2.

Create an S3 Bucket (optional): If S3 is chosen as the archiving destination, create an S3 bucket to store GuardDuty findings. Ensure proper encryption and access controls are in place. This can be done through the AWS Management Console or by using AWS CLI with the command:

aws s3api create-bucket --bucket guardduty-findings-bucket --region us-west-2

1.
Configure GuardDuty: Associate GuardDuty with the CloudWatch Events rule created in step 2. This can be done through the AWS Management Console or by using AWS CLI with the command:

aws guardduty create-publishing-destination --detector-id <detector-id> --destination-type "CloudWatchLogs" --destination-properties "{\"DestinationArn\":\"arn:aws:events:<region>:<account>:rule/GuardDutyFindingsRule\"}"

1.
Test and Monitor: Continuously monitor the archiving process to ensure that GuardDuty findings are being correctly forwarded to the designated archiving destination. Regularly review archived findings to assess any potential security threats or anomalies.

Following these steps will ensure that GuardDuty findings are properly archived for SOC 2 compliance, enabling organizations to meet the necessary security and auditing standards.

Rule: GuardDuty findings should be archived

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule/Policy: GuardDuty Findings Archiving for SOC 2 Compliance

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Description:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Troubleshooting Steps:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Necessary Codes:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step-by-step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule/Policy: GuardDuty Findings Archiving for SOC 2 Compliance

Description:

Troubleshooting Steps:

Necessary Codes:

Step-by-step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now