AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Non Archived Findings Enabled For Guardduty
More Info:
Checks if Amazon GuardDuty has findings that are non-archived. The rule is NON_COMPLIANT if GuardDuty has non-archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.
Risk Level
Low
Addresses
Configuration
Compliance Standards
CBP,RBI_MD_ITF,RBI_UCB
Triage and Remediation
Remediation
To remediate the non-archived findings enabled for GuardDuty in AWS Shield, you can follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to https://aws.amazon.com/ and login to your AWS account using your credentials.
-
Navigate to GuardDuty Service: In the AWS Management Console, search for “GuardDuty” in the services search bar and click on the GuardDuty service.
-
Select the GuardDuty Detector: In the GuardDuty console, select the GuardDuty detector for which you want to remediate the non-archived findings.
-
Navigate to Settings: Click on the “Settings” tab in the GuardDuty console to view the settings for the selected detector.
-
Disable Non-Archived Findings: In the settings page, locate the “Non-Archived Findings” section and toggle the switch to disable it. This will ensure that findings are automatically archived after 90 days.
-
Save Changes: Once you have disabled the non-archived findings, click on the “Save” button to apply the changes.
-
Verify Configuration: You can verify that the non-archived findings are disabled by checking the settings page again and ensuring that the switch is in the off position.
By following these steps, you have successfully remediated the non-archived findings enabled for GuardDuty in AWS Shield using the AWS Management Console.
To remediate the non-archived findings enabled for GuardDuty in AWS Shield using AWS CLI, you can follow these steps:
- Open the AWS CLI and run the following command to disable the non-archived findings in GuardDuty:
aws guardduty update-organization-configuration --detector-id <detector-id> --auto-enable --data-sources "s3Logs={enable=false}"
Replace <detector-id> with the ID of the GuardDuty detector for which you want to disable the non-archived findings.
- Verify that the non-archived findings are disabled by running the following command:
aws guardduty get-detector --detector-id <detector-id> --query DataSources.S3Logs
This command will return the current configuration of S3 logs for the specified GuardDuty detector.
- Once you have verified that the non-archived findings are disabled, you have successfully remediated the misconfiguration in AWS Shield for GuardDuty.
By following these steps, you can remediate the non-archived findings enabled for GuardDuty in AWS Shield using AWS CLI.
To remediate the non-archived findings enabled for GuardDuty in AWS Shield using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Create a Boto3 client for GuardDuty:
guardduty = boto3.client('guardduty')
- List all the detectors in GuardDuty:
detectors = guardduty.list_detectors()
- Iterate through each detector and update the findingPublishingFrequency to “ARCHIVE”:
for detector in detectors['DetectorIds']:
guardduty.update_detector(
DetectorId=detector,
FindingPublishingFrequency='ARCHIVE'
)
- Verify that the findings are now being archived by checking the FindingPublishingFrequency of each detector:
for detector in detectors['DetectorIds']:
response = guardduty.get_detector(
DetectorId=detector
)
print(f"Detector {detector} finding publishing frequency: {response['FindingPublishingFrequency']}")
By following these steps and running the Python script, you can remediate the non-archived findings enabled for GuardDuty in AWS Shield.