Rule: GuardDuty findings should be archived
This rule ensures that GuardDuty findings are properly archived to enhance incident response procedures.
| Rule | GuardDuty findings should be archived |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
This rule specifies that all GuardDuty findings should be archived according to the guidelines set by the National Institute of Standards and Technology (NIST) 800-171 Revision 2. GuardDuty is a managed threat detection service offered by AWS, which continuously monitors AWS account activities for suspicious behavior and malicious activity.
Troubleshooting Steps:
There are no specific troubleshooting steps required for this rule, as it is more of a configuration and policy guideline. However, it is important to ensure that the proper configuration and setup are in place to archive GuardDuty findings in compliance with the NIST 800-171 Revision 2.
Necessary Codes:
No specific codes are required for this rule. However, some configuration changes may be needed to ensure proper archiving of GuardDuty findings.
Step-by-step Guide for Remediation:
- 1.
Review NIST 800-171 Revision 2 Guidelines: Familiarize yourself with the guidelines provided by NIST 800-171 Revision 2. Understand the requirements for storing and archiving security-related findings.
- 2.
Enable GuardDuty: Enable GuardDuty service for your AWS account if you haven't done so already. GuardDuty can be enabled via the AWS Management Console or by using AWS Command Line Interface (CLI) commands.
- 3.
Create an S3 Bucket: Create a new S3 bucket or choose an existing one to store the archived GuardDuty findings. Ensure that the bucket is properly configured with appropriate access controls and permissions.
- 4.
Configure GuardDuty to Archive Findings: Configure GuardDuty to send findings to the designated S3 bucket. This can be done using the AWS Management Console or CLI commands. Specify the bucket name and other necessary parameters.
- 5.
Verify Archiving Configuration: Verify that the GuardDuty findings are being successfully sent to the designated S3 bucket. Monitor the bucket for any new findings and ensure they are properly archived.
- 6.
Periodic Review of Archive Data: Regularly review the archived GuardDuty findings stored in the S3 bucket. Ensure that the necessary retention periods specified by NIST 800-171 Revision 2 are met and maintained.
- 7.
Proper Handling of Sensitive Data: Ensure that any sensitive information contained within GuardDuty findings, such as personally identifiable information (PII), is handled and secured according to relevant data protection and privacy regulations.
- 8.
Implement Remediation Actions: Take appropriate remediation actions based on the findings identified by GuardDuty. Promptly respond to any security incidents or potential threats as per your incident response plan.
- 9.
Continuous Monitoring and Compliance: Continuously monitor GuardDuty findings, review the effectiveness of the archiving process, and ensure ongoing compliance with NIST 800-171 Revision 2 guidelines.
By following the above step-by-step guide, you will be able to ensure that your GuardDuty findings are appropriately archived in compliance with NIST 800-171 Revision 2 requirements.