Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 11 GuardDuty Runtime Monitoring should be enabled

Description

This control checks whether Runtime Monitoring is enabled in Amazon GuardDuty. For a standalone account, the control fails if GuardDuty Runtime Monitoring is disabled for the account. In a multi-account environment, the control fails if GuardDuty Runtime Monitoring is disabled for the delegated GuardDuty administrator account and all member accounts.

In a multi-account environment, only the delegated GuardDuty administrator can enable or disable GuardDuty Runtime Monitoring for accounts in their organization. In addition, only the GuardDuty administrator can configure and manage the security agents that GuardDuty uses for runtime monitoring of AWS workloads and resources for accounts in the organization. GuardDuty member accounts can't enable, configure, or disable Runtime Monitoring for their own accounts.

GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats, such as Amazon EKS clusters and Amazon EC2 instances.

Remediation

For information about configuring and enabling GuardDuty Runtime Monitoring, see GuardDuty Runtime Monitoring and Enabling GuardDuty Runtime Monitoring in the Amazon GuardDuty User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_guardduty_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_guardduty_11 --share

SQL

This control uses a named query:

with runtime_monitoring as (
  select
    arn
  from
    aws_guardduty_detector,
    jsonb_array_elements(features) as f
  where
    f ->> 'Name' = 'RUNTIME_MONITORING'
    and f ->> 'Status' = 'ENABLED'
)
select
  d.arn as resource,
  case
    when m.arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when m.arn is not null then title || ' has runtime monitoring enabled.'
    else title || ' has runtime monitoring disabled.'
  end as reason
  
  , region, account_id
from
  aws_guardduty_detector as d
  left join runtime_monitoring as m on m.arn = d.arn

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = detection_services
foundational_security_item_id = guardduty_11
plugin = aws
service = AWS/GuardDuty