iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Amazon GuardDuty is enabled across all AWS regions within an account. GuardDuty is a continuous threat detection service that monitors AWS accounts, workloads, and data stored in Amazon S3 for malicious activity or unauthorized behavior. It uses machine learning, anomaly detection, and integrated threat intelligence to identify potential security threats.

Rationale:
GuardDuty provides an essential layer of threat detection by analyzing AWS CloudTrail logs, VPC Flow Logs, DNS logs, and EKS audit logs to identify unusual patterns, malicious behavior, or compromised credentials. Enabling GuardDuty ensures continuous monitoring for potential security incidents, helping organizations respond proactively before attackers can cause damage. Disabling GuardDuty leaves your AWS environment without native threat detection coverage.

Impact:
Positive Impact:

• Provides real-time monitoring and alerting for malicious activity.

• Reduces time to detect and respond to security threats.

• Helps meet compliance requirements for continuous monitoring (SOC 2, ISO 27001, NIST 800-53, CIS).
  Negative Impact:

• Additional cost depending on the volume of analyzed logs and enabled data sources.
  
  

Default Value:
By default, Amazon GuardDuty is disabled for all new AWS accounts and must be explicitly enabled per region.

Pre-Requisite:

• IAM permissions required: guardduty:CreateDetector, guardduty:ListDetectors, guardduty:GetDetector, guardduty:UpdateDetector, guardduty:EnableOrganizationAdminAccount (for multi-account setups).

• AWS CloudTrail should be enabled for optimal detection coverage.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon GuardDuty.

3. Verify that GuardDuty is enabled in the current region.

   • The status should display as Enabled with active findings monitoring.

4. Use the region selector (top-right corner) to check all other AWS regions.

5. If GuardDuty is disabled in any region, follow the implementation steps.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to Amazon GuardDuty from the AWS Console.

2. If GuardDuty is not enabled, click Enable GuardDuty.

3. (Optional) For multi-account environments:

   • Designate a GuardDuty administrator account under Settings → Accounts.

   • From the administrator account, enable GuardDuty organization-wide using AWS Organizations.

4. Enable all data sources:

   • CloudTrail management and S3 data event logs.

   • DNS logs.

   • VPC Flow Logs.

   • EKS audit logs (if applicable).

   • Malware Protection (if supported).

5. Once enabled, confirm the Detector ID is created for each region.

6. Repeat for all active AWS regions where resources are deployed.
   
   

Backout Plan:

1. If GuardDuty needs to be temporarily disabled for cost management or testing, navigate to GuardDuty → Settings.

2. Choose Disable GuardDuty and confirm the action.

3. Note: Disabling GuardDuty deletes existing findings and data; re-enabling will start a new monitoring session.

4. Before disabling, export findings to S3 or Security Hub if needed for audit continuity.
   
   

References:

• Amazon GuardDuty Documentation

• AWS GuardDuty Pricing

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.30

• AWS Security Best Practices