AWS-GuardDuty-GuardDuty-is-Enabled

Owned by naveen
Last updated: Jan 05, 2022
2 min read

Severity : High

Description : GuardDuty provides threat intelligence by analyzing several AWS data sources for security risks and should be enabled in all accounts.

Remediation Steps : Enable GuardDuty for all AWS accounts.

Description: This control ensures that AWS GaurdDuty id enabled on the account. GuardDuty is a continuous security monitoring service that analyzes and processes logs from VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within AWS environment. For a multi account environment, all account must be added as member account and enable GuardDuty.

Remediation Steps:

Perform following to Enable GuardDuty for a multi account :

  1. Login to the AWS Management Console at https://console.aws.amazon.com .

  2. Navigate to GaurdDuty console.

  3. If GuardDuty is not already enabled, Select Get Started and then designate a GuardDuty delegated administrator. If GuardDuty is enabled, designate a GuardDuty delegated administrator on the Settings.

  4. Enter the AWS account ID of the account to designate as the GuardDuty delegated administrator and choose Delegate.

Perform following to Add member account to GuardDuty :

  1. In the navigation pane, Click on Volumes from the Resources Section

  2. Navigate to GaurdDuty console.

  3. In navigation panel, choose Settings, and then choose Accounts.

  4. Choose the accounts that needed to add as members by selecting the box next to the account ID.

  5. Select Action and then Select Add member.

Generate sample findings and explore basic operations

  1. In the navigation pane, choose Settings.

  2. On the Settings page, under Sample findings, choose Generate sample findings.

  3. In the navigation pane, choose Findings. The sample findings are displayed on the Current findings page with the prefix.

  4. Archive all your sample findings, Select the Actions menu and then select Archive to hide the sample findings. Before archiving, unselect the findings to keep.

Configure GuardDuty findings export to an S3 bucket:

  1. In the navigation pane, choose Settings.

  2. Under Findings export options select Configure now.

  3. Select New bucket. Enter a unique name for your bucket.

  4. Create a KMS Key in KMS Console to encrypt the findings.

  5. Choose the key just created from the Key alias list, choose Save.

Important:

Reference :

Blue Hexagon Proprietary