Rule: GuardDuty findings should be archived
Ensure that GuardDuty findings are properly archived to maintain compliance.
| Rule | GuardDuty findings should be archived |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The rule requires that all findings from AWS GuardDuty, a threat detection service, should be archived in compliance with the National Institute of Standards and Technology (NIST) 800-53 Revision 4. This is to ensure that any potential security incidents or threats identified by GuardDuty are properly documented and stored for further analysis and audit purposes.
Troubleshooting Steps (if applicable):
- 1.Check if AWS GuardDuty is enabled in your AWS account.
- 2.Review the GuardDuty findings and verify if any findings have been generated.
- 3.Check if the findings are being archived according to the NIST 800-53 Revision 4 compliance requirements.
Necessary Code (if applicable):
There is no specific code required for this rule. However, you may need to use AWS CLI or SDKs to interact with GuardDuty API for troubleshooting and configuration purposes.
Remediation Steps:
- 1.
Enable GuardDuty in AWS Account: To enable GuardDuty in your AWS account, follow these steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- Click on "Enable GuardDuty" to enable the service in your account.
- Configure the selected AWS regions and enable the specific detectors according to your requirements.
- Click on "Enable GuardDuty" to activate the service.
- 2.
Configure GuardDuty Findings Archival: To archive GuardDuty findings, follow these steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- In the navigation pane, select "Findings".
- Click on the "Settings" tab.
- Under "Findings archival," click on "Edit" to configure the archival settings.
- Select the desired S3 bucket to store the archived findings.
- Enable or disable automatic archive deletion based on your compliance requirements.
- Click on "Save" to apply the configuration changes.
- 3.
Verify Findings Archival: To verify if the findings are being archived correctly, follow these steps:
- Open the AWS Management Console and navigate to the GuardDuty service.
- In the navigation pane, select "Findings".
- Check if any findings are displayed.
- Verify that the findings are being stored in the specified S3 bucket for archival.
- Optionally, you can review the findings in the S3 bucket using the AWS S3 console or CLI.
Conclusion:
By following the above steps, you can ensure that all GuardDuty findings are appropriately archived in compliance with the NIST 800-53 Revision 4. This helps in maintaining a comprehensive record of potential security threats and incidents for analysis and auditing purposes.