Description:

Guard Duty is a managed threat detection service that continuously monitors your AWS environment for malicious activity. It uses
machine learning and other techniques to identify potential threats, such as unauthorized access, data exfiltration, and malware.
High severity GuardDuty findings indicate that there is a high likelihood of a security breach. If left unaddressed, these findings could lead to data loss, financial losses, or even system downtime.

Rationale:
It is important to ensure that there are no high severity GuardDuty findings because these findings indicate that there is a high likelihood of a security breach. By addressing these findings as soon as possible, you can help to protect your AWS environment from malicious activity.

Impact:
If there are high severity GuardDuty findings, this could indicate that your AWS environment is under attack. This could lead to data loss, financial losses, or even system downtime.

Default Value:

By default, GuardDuty will not generate any findings. However, you can configure GuardDuty to generate findings for different severity levels, including high severity.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have enabled GuardDuty in your AWS account.

Remediation Steps:

  1. Sign in to the AWS Management Console.
  2. Go to the AWS Guard Duty console.
  3. Click Findings.
  4. Review the list of findings.
  5. If there are any high severity findings, take steps to address them.

Test Plan:

  1. Verify that Guard Duty is enabled in your AWS account.
  2. Verify that GuardDuty is configured to generate findings for high severity threats.
  3. Verify that you can view the list of findings in the AWS GuardDuty console.
  4. Verify that you can take steps to address high severity findings.

Implementation Plan:

  1. Create a policy that requires all high severity GuardDuty findings to be addressed within 24 hours.
  2. Implement the policy by configuring GuardDuty to send notifications for high severity findings.
  3. Monitor the status of the policy to ensure that all high severity findings are addressed in a timely manner.

AWS CLI Process:

  1. Run the following command to list all high severity GuardDuty findings:
aws guardduty list-findings --filter "findingSeverity=HIGH"
  1. For each finding, take steps to address it.

Using AWS GUI:

  1. Go to the AWS GuardDuty console.
  2. Click Findings.
  3. Filter the list of findings to show only high severity findings.
  4. For each finding, take steps to address it.

Backout Plan:

  1. If you accidentally delete a high severity finding, you can restore it by running the following command:
aws guardduty restore-finding --finding-id <finding-id>
  1. You can also roll back the policy that requires all high severity GuardDuty findings to be addressed within 24 hours.

Note:

  • This policy only applies to high severity GuardDuty findings.
  • You can also use the AWS CLI or the AWS GuardDuty API to list, filter, and address GuardDuty findings.
  • For more information, see the GuardDuty documentation: https://docs.aws.amazon.com/guardduty/latest/ug/.