Enable GuardDuty rule for Threat Intelligence Control
Ensure GuardDuty is enabled to comply with high severity control in Threat Intelligence and Collaboration benchmark.
| Rule | GuardDuty should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule Description:
The rule states that GuardDuty should be enabled for Federal Financial Institutions Examination Council (FFIEC). GuardDuty is a managed threat detection service offered by AWS that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts and workloads. Enabling GuardDuty for FFIEC helps to enhance the security posture and compliance of the financial institution by proactively identifying potential security threats.
Troubleshooting Steps:
- 1.
Ensure you have the necessary permissions: To enable GuardDuty for FFIEC, you need to have appropriate IAM permissions in your AWS account. Make sure you have the required access to enable GuardDuty and configure findings.
- 2.
Verify GuardDuty support: Confirm that GuardDuty is available in the AWS region where your FFIEC workloads are deployed. Some AWS services might not be available in all regions, so ensure GuardDuty is supported in the relevant region.
- 3.
Check FFIEC requirements: Review the specific FFIEC requirements related to enabling GuardDuty. Ensure you have a clear understanding of what is expected and how GuardDuty should be configured to meet these requirements.
- 4.
Enable GuardDuty in the AWS Management Console:
a. Sign in to the AWS Management Console.
b. Open the GuardDuty console.
c. Click on "Get Started" if you are enabling GuardDuty for the first time, or navigate to the settings if GuardDuty is already enabled.
d. Select the AWS region where your FFIEC workloads are deployed.
e. Click on "Enable GuardDuty" and wait for the service to become active.
- 5.
Configure GuardDuty: Once GuardDuty is enabled, you need to configure it to align with FFIEC requirements. This may include setting up AWS CloudTrail integration, enabling specific threat detection capabilities, fine-tuning the severity levels, and configuring notifications.
- 6.
Review and respond to GuardDuty findings: Regularly monitor the GuardDuty findings in the console. Investigate any potential security threats or suspicious activities reported by GuardDuty. Implement appropriate remediation steps to address the identified issues.
Code/Configuration:
No specific code or configuration is required to enable GuardDuty for FFIEC. The steps mentioned in the troubleshooting section outline the actions needed to enable and configure GuardDuty using the AWS Management Console.
Remediation Steps:
- 1.
Open the AWS Management Console and navigate to the GuardDuty service.
- 2.
If you are enabling GuardDuty for the first time, click on "Get Started". Otherwise, go to the settings section.
- 3.
Select the AWS region where your FFIEC workloads are deployed to ensure GuardDuty covers the relevant resources.
- 4.
Click on "Enable GuardDuty" and wait for the service to become active.
- 5.
Next, configure GuardDuty based on the FFIEC requirements:
Integrate GuardDuty with AWS CloudTrail: Enable CloudTrail integration to gather additional security-related information and enhance threat detection capabilities.
Fine-tune the threat intelligence sources: Adjust the severity levels and desired threat intelligence sources to align with FFIEC requirements and your organization's security policies.
Configure notifications: Set up notifications to receive alerts for GuardDuty findings. Define the appropriate channels and recipients to ensure timely response to potential security threats.
Customize threat detection settings: Modify the settings as necessary to enhance the detection of specific threats relevant to FFIEC compliance requirements.
- 6.
Regularly review GuardDuty findings in the console and investigate any reported security threats. Take appropriate remedial actions to mitigate the risks identified by GuardDuty.
By following these steps, you can enable GuardDuty for FFIEC and continuously monitor your AWS environment for potential security threats, helping to ensure compliance with FFIEC guidelines.