Enable GuardDuty Rule for Access Control (AC)
Ensure GuardDuty is enabled to comply with high severity rule in Access Control (AC) benchmark.
| Rule | GuardDuty should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
Enabling GuardDuty for NIST 800-53 Revision 5 means configuring the GuardDuty service within your AWS environment to adhere to the security controls specified in the NIST Special Publication 800-53 Revision 5, a comprehensive set of security and privacy controls issued by the National Institute of Standards and Technology (NIST). By enabling GuardDuty and aligning it with NIST 800-53 Rev. 5, you enhance the detection and monitoring capabilities for potential security threats and vulnerabilities in your AWS infrastructure.
Troubleshooting Steps:
In case you face any issues while enabling GuardDuty for NIST 800-53 Rev. 5, you can follow these troubleshooting steps:
- 1.
Verify GuardDuty region compatibility: Ensure that the AWS region you are using supports the GuardDuty service.
- 2.
Check GuardDuty service activation: Confirm that GuardDuty service is enabled and active for your AWS account.
- 3.
Validate GuardDuty findings: Regularly review the GuardDuty findings to ensure that it is detecting potential threats and vulnerabilities as expected.
- 4.
Review NIST 800-53 Rev. 5 controls: Cross-verify that the implemented controls align with the requirements specified in NIST 800-53 Rev. 5.
Necessary Codes:
To implement GuardDuty for NIST 800-53 Rev. 5, you can utilize the following code snippets:
- 1.AWS CLI Command to Enable GuardDuty:
aws guardduty create-detector --enable --finding-publishing-frequency-rate 15_minutes
- 1.AWS CLI Command to Integrate GuardDuty with NIST 800-53 Rev. 5:
aws guardduty update-detector --detector-id <your_detector_id> --data-sources '{ "threatIntelSetIds": ["<threat_intel_set_id>"], "roleArn": "<your_role_arn>", "kmsKeyArn": "<your_kms_key_arn>", "status": "ENABLED" }' --finding-publishing-frequency-rate 15_minutes
Step-by-Step Guide for Remediation:
To enable GuardDuty for NIST 800-53 Rev. 5, follow the step-by-step guide below:
- 1.
Open a terminal or command prompt.
- 2.
Install and configure the AWS CLI if you haven't already.
- 3.
Verify GuardDuty region compatibility: Ensure that your AWS region supports GuardDuty using the AWS Regional Services List.
- 4.
Enable GuardDuty: Execute the following AWS CLI command to enable GuardDuty:
aws guardduty create-detector --enable --finding-publishing-frequency-rate 15_minutes
- 1.
Retrieve the Detector ID: Once the command successfully completes, note down the generated detector ID for further use.
- 2.
Obtain necessary NIST 800-53 Rev. 5 information: Gather the required threat intelligence set IDs, role ARN, and KMS key ARN from your NIST 800-53 Rev. 5 implementation.
- 3.
Integrate GuardDuty with NIST 800-53 Rev. 5: Execute the following AWS CLI command, substituting the appropriate values:
aws guardduty update-detector --detector-id <your_detector_id> --data-sources '{ "threatIntelSetIds": ["<threat_intel_set_id>"], "roleArn": "<your_role_arn>", "kmsKeyArn": "<your_kms_key_arn>", "status": "ENABLED" }' --finding-publishing-frequency-rate 15_minutes
- 1.Validate GuardDuty integration: Regularly check the GuardDuty findings in the AWS Management Console or programmatically to ensure that it aligns with NIST 800-53 Rev. 5 controls.
By following these steps, you can successfully enable GuardDuty for NIST 800-53 Revision 5 and enhance your AWS security posture.