Enable GuardDuty Rule for Risk Assessment (RA)
This rule ensures GuardDuty is enabled. High severity.
| Rule | GuardDuty should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description: GuardDuty should be enabled for NIST 800-53 Revision 5
Rule Overview:
This rule ensures that AWS GuardDuty, a threat detection service, is enabled and properly configured to comply with the security controls outlined in the NIST 800-53 Revision 5 framework. GuardDuty continuously monitors AWS accounts for malicious activity and provides alerts for potential security threats.
Policy Details:
To comply with NIST 800-53 Revision 5, GuardDuty must be enabled and configured properly. The following steps help ensure GuardDuty is set up correctly:
- 1.Enable GuardDuty for the AWS account.
- 2.Configure GuardDuty to monitor all relevant AWS regions.
- 3.Configure GuardDuty to use the appropriate threat intelligence feeds.
- 4.Enable notifications for GuardDuty findings to ensure timely response and remediation.
Troubleshooting Steps:
If GuardDuty is not enabled or not properly configured, follow these troubleshooting steps:
- 1.Verify that you have the necessary permissions to enable and configure GuardDuty.
- 2.Check if GuardDuty is already enabled. If not, enable it for the AWS account.
- 3.Ensure GuardDuty is configured to monitor all relevant AWS regions. If not, update the configuration accordingly.
- 4.Verify that GuardDuty is using the recommended threat intelligence feeds. If not, update the configuration.
- 5.Check if GuardDuty notifications are enabled. If not, configure them to receive timely alerts for findings.
Necessary Code:
There are no specific code snippets required for this rule. The configuration of GuardDuty is typically done through the AWS Management Console or the AWS Command Line Interface (CLI).
Step-by-step Guide for Remediation:
Enabling GuardDuty:
- 1.Sign in to the AWS Management Console.
- 2.Open the GuardDuty service.
- 3.Click on "Enable GuardDuty" if it is not already enabled.
Configuring GuardDuty to Monitor All Relevant AWS Regions:
- 1.In the GuardDuty console, select the "Settings" tab.
- 2.Under "Regions," ensure that all relevant AWS regions are selected.
- 3.Click on "Save" to apply the changes.
Configuring GuardDuty Threat Intelligence Feeds:
- 1.In the GuardDuty console, select the "Settings" tab.
- 2.Under "Threat intelligence," review the list of available feeds.
- 3.Enable the desired threat intelligence feeds by selecting the checkboxes.
- 4.Click on "Save" to apply the changes.
Enabling GuardDuty Notifications:
- 1.In the GuardDuty console, select the "Settings" tab.
- 2.Under "CloudWatch Event Settings," click on "Edit".
- 3.Enable the desired notification options, such as email notifications or integrating with AWS Systems Manager.
- 4.Click on "Save" to apply the changes.
Conclusion:
By following the steps mentioned above, you can ensure that GuardDuty is enabled and configured to comply with the security controls outlined in the NIST 800-53 Revision 5 framework. Regularly monitoring GuardDuty findings and taking appropriate actions can help identify and mitigate potential security threats in your AWS environment.