Rule: GuardDuty findings should be archived
This rule ensures proper archiving of GuardDuty findings to maintain compliance.
| Rule | GuardDuty findings should be archived |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that all GuardDuty findings are archived in compliance with the NIST 800-53 Revision 4 standard. Archiving findings helps in maintaining audit trails, investigating incidents, and complying with regulatory requirements.
Troubleshooting Steps:
Check if GuardDuty is enabled: Verify that GuardDuty is enabled in your AWS account by navigating to the GuardDuty service in the AWS Management Console. If it is not enabled, follow the steps to enable it.
Verify S3 bucket permissions: Ensure that the S3 bucket configured to store GuardDuty findings has the appropriate permissions to write the archived findings. Check the bucket policy and access controls to confirm that GuardDuty has the necessary permissions to write to the bucket.
Verify IAM role permissions: Confirm that the IAM role associated with GuardDuty has the required permissions to access and write to the S3 bucket. If the role does not have the necessary permissions, update the role with the required policies.
Check CloudWatch Event Rule: Ensure that you have configured a CloudWatch Event Rule to trigger the archival process whenever a new GuardDuty finding is detected. Confirm that the event rule has the correct configuration and target S3 bucket.
Review CloudTrail logs: Check the CloudTrail logs for any relevant events or errors related to GuardDuty findings archival. Look for any error messages that can help identify the root cause of the issue.
Necessary Codes:
No specific codes are required for this rule.
Remediation Steps:
- 1.
Open the AWS Management Console and navigate to the GuardDuty service.
- 2.
Ensure that GuardDuty is enabled for your AWS account. If not, enable it by following the provided instructions.
- 3.
Create an S3 bucket or choose an existing bucket to store the archived GuardDuty findings. Ensure the bucket is in the same region as GuardDuty.
- 4.
Configure the appropriate permissions for the S3 bucket by setting the bucket policy and access controls. Grant GuardDuty the necessary write permissions to the bucket.
- 5.
Create or update the IAM role associated with GuardDuty to grant it the required permissions for accessing and writing to the S3 bucket. Attach the appropriate policies to the role to enable the necessary access.
- 6.
Configure a CloudWatch Event Rule to trigger the archival process for new GuardDuty findings. Specify the target S3 bucket as the destination for the findings.
- 7.
Test the configuration by generating a sample GuardDuty finding or waiting for a new finding to be detected. Verify that the finding is archived in the specified S3 bucket.
- 8.
Monitor the archival process for any errors or issues, and make any necessary adjustments to ensure continuous compliance with the NIST 800-53 Revision 4 standard.
Note: It is recommended to periodically review the archival process and update any changes in the NIST 800-53 standard or best practices.