More Info:

Checks if Amazon GuardDuty has findings that are non-archived. The rule is NON_COMPLIANT if GuardDuty has non-archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.

Risk Level

Low

Addresses

Configuration

Compliance Standards

CBP,RBI_MD_ITF,RBI_UCB

Triage and Remediation

Remediation

Using Console

To remediate the non-archived findings enabled for GuardDuty in AWS Shield, you can follow these steps using the AWS Management Console:
  1. Login to AWS Console: Go to https://aws.amazon.com/ and login to your AWS account using your credentials.
  2. Navigate to GuardDuty Service: In the AWS Management Console, search for “GuardDuty” in the services search bar and click on the GuardDuty service.
  3. Select the GuardDuty Detector: In the GuardDuty console, select the GuardDuty detector for which you want to remediate the non-archived findings.
  4. Navigate to Settings: Click on the “Settings” tab in the GuardDuty console to view the settings for the selected detector.
  5. Disable Non-Archived Findings: In the settings page, locate the “Non-Archived Findings” section and toggle the switch to disable it. This will ensure that findings are automatically archived after 90 days.
  6. Save Changes: Once you have disabled the non-archived findings, click on the “Save” button to apply the changes.
  7. Verify Configuration: You can verify that the non-archived findings are disabled by checking the settings page again and ensuring that the switch is in the off position.
By following these steps, you have successfully remediated the non-archived findings enabled for GuardDuty in AWS Shield using the AWS Management Console.

To remediate the non-archived findings enabled for GuardDuty in AWS Shield using AWS CLI, you can follow these steps:
  1. Open the AWS CLI and run the following command to disable the non-archived findings in GuardDuty:
aws guardduty update-organization-configuration --detector-id <detector-id> --auto-enable --data-sources "s3Logs={enable=false}"
Replace <detector-id> with the ID of the GuardDuty detector for which you want to disable the non-archived findings.
  1. Verify that the non-archived findings are disabled by running the following command:
aws guardduty get-detector --detector-id <detector-id> --query DataSources.S3Logs
This command will return the current configuration of S3 logs for the specified GuardDuty detector.
  1. Once you have verified that the non-archived findings are disabled, you have successfully remediated the misconfiguration in AWS Shield for GuardDuty.
By following these steps, you can remediate the non-archived findings enabled for GuardDuty in AWS Shield using AWS CLI.
To remediate the non-archived findings enabled for GuardDuty in AWS Shield using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Create a Boto3 client for GuardDuty:
guardduty = boto3.client('guardduty')
  1. List all the detectors in GuardDuty:
detectors = guardduty.list_detectors()
  1. Iterate through each detector and update the findingPublishingFrequency to “ARCHIVE”:
for detector in detectors['DetectorIds']:
    guardduty.update_detector(
        DetectorId=detector,
        FindingPublishingFrequency='ARCHIVE'
    )
  1. Verify that the findings are now being archived by checking the FindingPublishingFrequency of each detector:
for detector in detectors['DetectorIds']:
    response = guardduty.get_detector(
        DetectorId=detector
    )
    print(f"Detector {detector} finding publishing frequency: {response['FindingPublishingFrequency']}")
By following these steps and running the Python script, you can remediate the non-archived findings enabled for GuardDuty in AWS Shield.