iCompaas Support

Description:

Amazon GuardDuty is a regional-based intelligent threat detection service that monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

The service itself is powered by machine learning, and this allows the service to continuously evolve by learning and understanding operational behavior within your infrastructure.

Rationale:

GuardDuty Untreated Findings check means to check whether Amazon GuardDuty has findings that are not archived, so for this we need to set the rule in AWS configuration. We need to check if Amazon GuardDuty has non-archived or findings that are older than the specified number of days in the NON_COMPLIANT rule.

Impact:

Amazon GuardDuty monitors your AWS accounts, workloads, and data stored in Amazon S3. If you find out about the untreated GuardDuty Findings that are not able to deliver security detail to the GuardDuty console and Amazon CloudWatch Events, then you will be able to know about the security finding that works and alerts when any malicious or unauthorized behavior happens, and we will be able to understand its detection techniques or algorithms that are working.

Default Value:

The number of days Amazon GuardDuty low severity findings are allowed to stay non-archived is: The default is 30 days. 

By default, in AWS Config, the guardduty non-archived-findings rule is not enabled.

Pre-Requisite:

This policy implemeted when you already enabled the GuardDuty and it contain findings.

You also enable the AWS Config enable to check GuardDuty Findings untreated.

Remediation:

Test plan: 

• AWS Console Process

Step 1: Sign in to the AWS Management Console and go to the AWS config dashboard at https://console.aws.amazon.com/config/.

Step 2: Click on Rules in the left navigation panel.

Step 3: In the rule we check rule exist or not “guardduty-non-archived-findings”

• Using AWS CLI

To get details for an AWS Config rule

The following command returns details for an AWS Config rule named guardduty non-archived-finding:

Implementation Steps:

• AWS Console Process

Step 1: Sign in to the AWS Management Console and go to the AWS config dashboard at https://console.aws.amazon.com/config/.

Step 2: Click on Rules in the left navigation panel.

Step 3: Click on Add Rule button.

Step 4: Select Add AWS managed rule.

Step 5: Scroll down in AWS Managed Rules search “guardduty-non-archived-finding” and then select nameguardduty-non-archived-finding  

Step 6: Click on Next button  

Step 7: In detail no need to change so click on Next button  

Using AWS CLI

Add or updates the rules we use put-config-rule

To add an AWS managed Config rule

aws configservice put-config-rule \
--config-rule file://RequiredTagsForSecretManager.json

{
    "ConfigRuleName": "guardduty-non-archived-findings",
    "Description": "A Config rule that checks whether the Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if Amazon GuardDuty has non archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/...",
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "GUARDDUTY_NON_ARCHIVED_FINDINGS",
        "SourceDetails": []
    },
    "Scope": {
        "ComplianceResourceTypes": []
    },
    "InputParameters": "{\"daysLowSev\":\"30\",\"daysMediumSev\":\"7\",\"daysHighSev\":\"1\"}",
    "MaximumExecutionFrequency": "TwentyFour_Hours"
}'

aws configservice delete-config-rules \
 --config-rule-names guardduty-non-archived-finding