Enable GuardDuty Rule
This rule highlights the importance of enabling GuardDuty for enhanced security measures.
| Rule | GuardDuty should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description:
The rule specifies that the GuardDuty service should be enabled for the CISA Cyber Essentials framework. GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious and unauthorized activities. By enabling GuardDuty for the CISA Cyber Essentials framework, organizations can enhance their security posture and ensure compliance with cybersecurity best practices.
Troubleshooting Steps:
If GuardDuty is not enabled for CISA Cyber Essentials, follow the steps below to troubleshoot the issue:
- 1.
Verify Security Hub Integration: Check if AWS Security Hub is integrated with GuardDuty. Security Hub provides a comprehensive view of security alerts and compliance status across multiple AWS accounts. To enable integration, navigate to the GuardDuty console, select "Settings" in the left-hand menu, and ensure the Security Hub integration is enabled.
- 2.
Check GuardDuty Detector Status: Ensure that GuardDuty is operational and active for the AWS account associated with the CISA Cyber Essentials framework. In the GuardDuty console, verify the status of the detector. If it is inactive, follow the activation process outlined in the GuardDuty documentation.
- 3.
Review IAM Role Permissions: Confirm that the IAM role associated with GuardDuty has the necessary permissions to access relevant AWS resources. The role should have read-only access to AWS CloudTrail logs, Amazon VPC Flow Logs, and DNS logs to effectively detect and analyze threats. Adjust the IAM role permissions if needed.
- 4.
Evaluate CloudFormation Templates: If resources in your environment are provisioned using AWS CloudFormation, review the templates to ensure that GuardDuty is included and properly configured. Make any necessary modifications to enable GuardDuty for CISA Cyber Essentials.
Necessary Codes:
No specific codes are required for enabling GuardDuty for CISA Cyber Essentials. The configuration is primarily done through the AWS Management Console and can be achieved by following the step-by-step guide provided below.
Step-by-Step Guide for Remediation:
- 1.
Log in to the AWS Management Console using appropriate credentials.
- 2.
Navigate to the GuardDuty service from the list of available services.
- 3.
If GuardDuty is not already active, click on "Get Started" to create a new GuardDuty detector. Choose the AWS account associated with the CISA Cyber Essentials framework.
- 4.
Upon creating the detector, configure it based on your organization's requirements. Enable the Security Hub integration if desired.
- 5.
Configure and review the findings settings to customize threat detection based on your environment.
- 6.
Verify that the IAM role associated with GuardDuty has appropriate permissions to access necessary AWS resources such as CloudTrail logs, VPC Flow Logs, and DNS logs.
- 7.
Enable the appropriate GuardDuty security checks and adjust the settings to align with the CISA Cyber Essentials framework.
- 8.
Monitor GuardDuty findings and notifications regularly to identify potential threats and vulnerabilities.
Remember to refer to the official AWS GuardDuty documentation and CISA Cyber Essentials guidelines for detailed instructions tailored to your specific environment and requirements.
Note: It is essential to continually review and update your security measures based on evolving threats and best practices to maintain an effective security posture.
Conclusion:
Enabling GuardDuty for the CISA Cyber Essentials framework provides continuous monitoring and detection of potential threats and unauthorized activities within your AWS environment. By following the troubleshooting steps and remediation guide described above, you can ensure GuardDuty is correctly configured and active for your organization's cybersecurity needs. Regular monitoring and assessment of GuardDuty findings will help strengthen your overall security posture and maintain compliance with the recommended security controls.