Rule: GuardDuty Findings Should Be Archived
Ensure all GuardDuty findings are properly archived for compliance.
| Rule | GuardDuty findings should be archived |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
Rule: Archiving GuardDuty Findings for FFIEC Compliance
Description:
This rule aims to ensure compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines by archiving all GuardDuty findings. The FFIEC provides regulatory and supervisory guidance for financial institutions in the United States. By archiving GuardDuty findings, financial institutions can meet the FFIEC's requirements for record keeping and incident response.
Troubleshooting Steps:
If you encounter any issues with archiving GuardDuty findings, follow these troubleshooting steps:
- 1.Ensure that you have the necessary IAM permissions to configure GuardDuty and manage S3 buckets.
- 2.Verify that the target S3 bucket for archiving is properly configured and allows write access.
- 3.Check the Amazon S3 service for any operational issues or storage limitations.
- 4.Review the GuardDuty service documentation and AWS Knowledge Center for any specific issues related to archiving findings.
Necessary Codes:
No specific codes are required for this rule, as it involves configuration and archiving settings within GuardDuty and Amazon S3.
Step-by-Step Guide for Remediation:
Step 1: Enable GuardDuty
- 1.Open the AWS Management Console.
- 2.Navigate to the GuardDuty service.
- 3.Click on "Enable GuardDuty" if it is not already enabled.
- 4.Follow the on-screen instructions to complete the GuardDuty setup.
Step 2: Configure GuardDuty Findings Archive
- 1.Open the AWS Management Console.
- 2.Navigate to the GuardDuty service.
- 3.Click on "Findings" in the left navigation pane.
- 4.Click on the "Archiving" tab.
- 5.Enable the "Enable findings archiving" option.
- 6.Select the S3 bucket where you want to store the findings.
- 7.Optionally, you can specify a prefix for the findings in the S3 bucket.
- 8.Click "Save" to save the settings.
Step 3: Verify GuardDuty Findings Archiving
- 1.Open the AWS Management Console.
- 2.Navigate to the GuardDuty service.
- 3.Click on "Findings" in the left navigation pane.
- 4.Ensure that there are findings generated by GuardDuty.
- 5.Check the specified S3 bucket to see if the findings are being successfully archived.
- 6.Review the archived findings to ensure they are being stored correctly and are accessible.
Step 4: Incident Response and Record Keeping
- 1.Ensure that appropriate personnel within your organization are notified about GuardDuty findings.
- 2.Define an incident response plan to address and remediate any findings or alerts.
- 3.Maintain a record of all findings and their respective resolution steps.
- 4.Regularly review and update your incident response plan based on the GuardDuty findings.
Conclusion:
By following this rule, financial institutions can maintain compliance with FFIEC guidelines by archiving GuardDuty findings. Archiving findings is essential for incident response, record keeping, and demonstrating regulatory compliance. Regularly review and monitor the archived findings to stay on top of potential security threats and vulnerabilities within the environment.