Rule: GuardDuty findings should be archived
Ensure GuardDuty findings are properly archived to maintain compliance.
| Rule | GuardDuty findings should be archived |
| Framework | SOC 2 |
| Severity | ✔ Medium |
Rule Description:
The rule requires archiving GuardDuty findings for compliance with SOC 2 (Service Organization Control 2). SOC 2 is a widely recognized auditing standard that certifies an organization's system and data security controls. The archiving of GuardDuty findings helps to ensure that security incidents, alerts, and other relevant information are properly retained and can be accessed for review, investigation, and compliance purposes.
Troubleshooting Steps:
- 1.
Verify GuardDuty service: Check if the GuardDuty service is enabled in your AWS environment. Ensure that the service is active and properly configured.
- 2.
Check permissions: Ensure that the user or role responsible for archiving GuardDuty findings has sufficient permissions to access and configure the necessary AWS services.
- 3.
Confirm compliance requirements: Understand the specific compliance requirements mandated by SOC 2 for archiving GuardDuty findings. Confirm if there are any additional guidelines or configurations that need to be followed.
- 4.
Review resource limitations: Check if there are any limitations on the amount of data that can be archived or the duration for which the findings need to be retained. Understand the impact of these limitations on your archiving strategy.
Necessary Codes:
There are no specific codes associated with this rule, as it primarily involves configuration and implementation steps rather than writing custom code.
Step-by-step Guide for Remediation:
Follow the steps below to archive GuardDuty findings for SOC 2 compliance:
Step 1: Enable GuardDuty
- If you haven't already, enable the GuardDuty service in your AWS account.
- Configure GuardDuty with appropriate settings based on your environment and security requirements.
Step 2: Set up an S3 Bucket
- Create an S3 bucket in your AWS account or use an existing one to store the archived GuardDuty findings.
- Configure the bucket with appropriate access controls, encryption settings, and versioning if required.
Step 3: Configure GuardDuty Findings to be Archived
- Go to the GuardDuty console and navigate to the "Settings" tab.
- In the "Findings export" section, click on the "Edit" button.
- Choose the S3 bucket you created in Step 2 as the destination for exporting GuardDuty findings.
- Configure any additional settings as per your compliance requirements.
- Save the changes.
Step 4: Verify the Archiving Process
- Monitor the GuardDuty findings to ensure they are being successfully exported to the configured S3 bucket.
- Periodically check the S3 bucket to verify that the exported findings are present and accessible.
Step 5: Retention and Compliance
- Review the retention requirements specified by SOC 2 or your organization's internal policies.
- Set up a process to manage the retention period for GuardDuty findings in the S3 bucket.
- Ensure that the designated personnel responsible for compliance have access to view and retrieve the archived findings when needed.
Conclusion:
By following the steps outlined above, you can successfully archive GuardDuty findings for compliance with SOC 2. Regularly monitoring the process and ensuring the retention of findings will help meet compliance requirements and provide valuable security insights for your organization.