Ensure Compliance with GuardDuty Findings Archiving Rule
This rule emphasizes the need to archive GuardDuty findings for improved security measures.
| Rule | GuardDuty findings should be archived |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Medium |
Rule Description:
The rule mandates that GuardDuty findings should be archived to comply with the RBI (Reserve Bank of India) Cyber Security Framework. GuardDuty is a threat detection service offered by Amazon Web Services (AWS) that continuously monitors for malicious activity and unauthorized behavior within AWS accounts.
Troubleshooting Steps:
If you encounter any issues while archiving GuardDuty findings, follow these troubleshooting steps:
- 1.
Validate IAM Permissions: Ensure that the IAM (Identity and Access Management) user or role used to configure GuardDuty has sufficient permissions to read and archive findings. Make sure the necessary IAM policies are attached to the user or role.
- 2.
Check S3 Bucket Permissions: Verify that the S3 bucket used for archiving GuardDuty findings has the appropriate permissions. The IAM user or role associated with GuardDuty should have write access to the S3 bucket.
- 3.
Configure SNS Topic: Ensure that a valid SNS (Simple Notification Service) topic is configured for receiving notifications about new GuardDuty findings. Verify the topic's ARN (Amazon Resource Name) and confirm that it is correctly configured in the GuardDuty settings.
- 4.
Verify EventBridge (CloudWatch Events) Configuration: If you are using EventBridge to forward GuardDuty findings to another service or store, double-check the EventBridge rule configuration. Ensure that the event rule matches the desired findings and targets the correct destination.
Necessary Codes:
There are no specific codes required for this rule. However, you can use AWS CLI commands or SDKs to retrieve and archive GuardDuty findings programmatically. Below are some examples:
- 1.To list all GuardDuty findings:
aws guardduty list-findings
- 1.To archive a specific GuardDuty finding:
aws guardduty archive-findings --detector-id <detector-id> --finding-ids <finding-ids>
Replace
<detector-id><finding-ids>Step-by-Step Guide for Remediation:
Follow these steps to remediate the issue and comply with the RBI Cyber Security Framework by archiving GuardDuty findings:
- 1.
Login to the AWS Management Console.
- 2.
Open the GuardDuty service.
- 3.
Ensure that the desired AWS region is selected.
- 4.
Click on the "Detectors" tab in the left navigation pane.
- 5.
Select the appropriate detector from the list.
- 6.
Click on the "Settings" tab.
- 7.
Scroll down to the "Findings Management" section.
- 8.
Enable the "Archive findings" option.
- 9.
Enter the ARN of the S3 bucket where you want to archive the findings.
- 10.
(Optional) If you want to receive notifications about new findings, enter the ARN of the SNS topic in the "Security alerts notification" field.
- 11.
Save the settings.
- 12.
Test the configuration by generating a sample finding and verifying if it gets archived to the specified S3 bucket.
Following these steps ensures that GuardDuty findings are archived as required by the RBI Cyber Security Framework.