Rule: GuardDuty findings should be archived
This rule ensures that GuardDuty findings are properly archived for compliance.
| Rule | GuardDuty findings should be archived |
| Framework | SOC 2 |
| Severity | ✔ Medium |
GuardDuty Findings Archiving for SOC 2 Compliance
Rule Description
To comply with SOC 2 standards, it is important to ensure that all findings generated by Amazon GuardDuty are properly archived. GuardDuty is a threat detection service designed to identify potentially malicious activity within AWS accounts. By archiving these findings, you can maintain an audit trail and demonstrate compliance with SOC 2 requirements.
Troubleshooting Steps (if applicable)
If you encounter any issues with GuardDuty findings archiving, please follow the troubleshooting steps below:
- 1.Verify IAM Permissions: Ensure that the IAM role or user has the necessary permissions to access and archive GuardDuty findings.
- 2.Check S3 Bucket Permissions: Make sure that the S3 bucket used for storing the archived findings has proper permissions for write access.
- 3.Review GuardDuty Configuration: Check the GuardDuty setup and configuration to ensure that it is correctly enabled and integrated with the AWS account.
Necessary Codes (if applicable)
Below is an example of AWS CLI command to enable GuardDuty findings archiving:
aws guardduty update-organization-configuration --auto-enable --data-sources.s3.bucket-arn "arn:aws:s3:::my-guardduty-bucket"
Please replace
"arn:aws:s3:::my-guardduty-bucket"Step-by-step Guide for Remediation
Follow the step-by-step guide below to ensure proper archiving of GuardDuty findings for SOC 2 compliance:
- 1.Enable GuardDuty: If GuardDuty is not already enabled, follow the official AWS documentation to enable the service in your AWS account.
- 2.Create an S3 Bucket: If you haven't already, create an S3 bucket to store the archived GuardDuty findings. Take note of the bucket name and the region in which it is located.
- 3.Configure Bucket Policies: Set the necessary bucket policies to allow GuardDuty to write findings to the S3 bucket. Ensure that the required IAM role or user has write access to the bucket.
- 4.Update GuardDuty Configuration: Use the AWS CLI command mentioned above (or any other suitable method) to update the GuardDuty organization configuration and enable automatic findings archiving to the S3 bucket.
- 5.Verify Archiving Setup: Once the configuration is updated, verify that GuardDuty findings are being properly archived to the specified S3 bucket. This can be done by generating a test finding and checking if it appears in the S3 bucket.
By following these steps, you will ensure that all GuardDuty findings are automatically archived to a secure location, helping you meet SOC 2 compliance requirements.
Remember to regularly review the archived findings and establish a process for analyzing and responding to any potential threats or security incidents identified by GuardDuty.