Non Archived Findings Enabled For Guardduty
More Info:
Checks if Amazon GuardDuty has findings that are non-archived. The rule is NON_COMPLIANT if GuardDuty has non-archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/daysHighSev parameter.Risk Level
LowAddresses
ConfigurationCompliance Standards
CBP,RBI_MD_ITF,RBI_UCBTriage and Remediation
Remediation
Using Console
Using Console
To remediate the non-archived findings enabled for GuardDuty in AWS Shield, you can follow these steps using the AWS Management Console:
- Login to AWS Console: Go to https://aws.amazon.com/ and login to your AWS account using your credentials.
- Navigate to GuardDuty Service: In the AWS Management Console, search for “GuardDuty” in the services search bar and click on the GuardDuty service.
- Select the GuardDuty Detector: In the GuardDuty console, select the GuardDuty detector for which you want to remediate the non-archived findings.
- Navigate to Settings: Click on the “Settings” tab in the GuardDuty console to view the settings for the selected detector.
- Disable Non-Archived Findings: In the settings page, locate the “Non-Archived Findings” section and toggle the switch to disable it. This will ensure that findings are automatically archived after 90 days.
- Save Changes: Once you have disabled the non-archived findings, click on the “Save” button to apply the changes.
- Verify Configuration: You can verify that the non-archived findings are disabled by checking the settings page again and ensuring that the switch is in the off position.
Using CLI
Using CLI
To remediate the non-archived findings enabled for GuardDuty in AWS Shield using AWS CLI, you can follow these steps:Replace This command will return the current configuration of S3 logs for the specified GuardDuty detector.
- Open the AWS CLI and run the following command to disable the non-archived findings in GuardDuty:
<detector-id> with the ID of the GuardDuty detector for which you want to disable the non-archived findings.- Verify that the non-archived findings are disabled by running the following command:
- Once you have verified that the non-archived findings are disabled, you have successfully remediated the misconfiguration in AWS Shield for GuardDuty.
Using Python
Using Python
To remediate the non-archived findings enabled for GuardDuty in AWS Shield using Python, you can follow these steps:By following these steps and running the Python script, you can remediate the non-archived findings enabled for GuardDuty in AWS Shield.
- Import the necessary libraries:
- Create a Boto3 client for GuardDuty:
- List all the detectors in GuardDuty:
- Iterate through each detector and update the findingPublishingFrequency to “ARCHIVE”:
- Verify that the findings are now being archived by checking the FindingPublishingFrequency of each detector: