Rule: Ensure GuardDuty Findings Are Archived
This rule ensures that GuardDuty findings are properly archived to maintain cybersecurity controls.
| Rule | GuardDuty findings should be archived |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
Rule Description:
The rule states that GuardDuty findings should be archived for Federal Financial Institutions Examination Council (FFIEC) compliance. GuardDuty is a threat detection service provided by Amazon Web Services (AWS), and it monitors for malicious activity and unauthorized behavior in your AWS environment. Archiving GuardDuty findings ensures compliance with the security regulations set by FFIEC, which is responsible for establishing unified and consistent supervisory standards for financial institutions.
Troubleshooting Steps (if applicable):
- 1.
Verify GuardDuty service activation: Ensure that GuardDuty is enabled and running in your AWS environment. You can check this by navigating to the GuardDuty service in the AWS Management Console and ensuring that it is active.
- 2.
Check FFIEC compliance requirements: Review the specific compliance requirements set by FFIEC for financial institutions. This will help you understand the necessary steps for archiving GuardDuty findings in a compliant manner.
- 3.
Configure S3 bucket for archiving: Set up an S3 bucket to store the archived GuardDuty findings. This will serve as a centralized location for storing and managing the data in compliance with FFIEC regulations.
- 4.
Enable GuardDuty finding archiving: To enable GuardDuty finding archiving, you need to configure the service to send findings to the designated S3 bucket. Ensure that you have the necessary permissions to make the required configuration changes.
- 5.
Test the archiving setup: Generate a sample GuardDuty finding or simulate a potential threat to verify that the findings are being correctly archived in the designated S3 bucket.
Necessary Codes (if required):
There are no specific codes required for this rule.
Step-by-Step Guide for Remediation:
- 1.Login to the AWS Management Console.
- 2.Navigate to the GuardDuty service.
- 3.Ensure that GuardDuty is enabled. If not, click on "Enable GuardDuty" and follow the prompts to activate the service.
- 4.Understand the compliance requirements set by FFIEC for financial institutions.
- 5.Create an S3 bucket (if not already available) by following these steps:
Go to the S3 service in the AWS Management Console.
Click on "Create bucket" and provide a unique name for the bucket.
Configure the desired settings for the bucket, such as region and access control.
Click on "Create" to create the S3 bucket.
- 6.Configure GuardDuty to send findings to the designated S3 bucket by following these steps:
Open the GuardDuty console.
Select the specific GuardDuty detector.
Click on "Manage S3 Data Event Publishing".
Enable the "Archive findings to S3" option.
Select the S3 bucket that you created in step 5.
Click on "Save" to apply the changes.
- 7.Verify that GuardDuty findings are being archived correctly by generating a test finding or simulating a potential threat. Check the specified S3 bucket for the archived findings.
- 8.Regularly monitor the S3 bucket for new GuardDuty findings, and ensure that they are retained in compliance with the FFIEC requirements.
Remember to follow any additional guidelines and security best practices provided by AWS and FFIEC to ensure the overall security and compliance of your AWS environment.