How can the Security Engineer address the issue?
Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed
Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications
Use GuardDuty filters with auto archiving enabled to close the findings
Create an AWS Lambda function that closes the finding whenever a new occurrence is reported
Explanations:
Disabling the FTP rule in GuardDuty would prevent the system from detecting legitimate threats related to FTP servers in the future, compromising visibility of potential anomalous behavior.
Adding the FTP server to a trusted IP list in GuardDuty would prevent notifications from being triggered for legitimate attacks. This reduces visibility and could allow real attacks to go undetected.
Using GuardDuty filters with auto archiving enables the Security Engineer to automatically archive the false positive findings, improving the signal-to-noise ratio without losing visibility into potential real threats.
Creating an AWS Lambda function to close findings whenever they occur would only mask the issue and potentially allow real attacks to be missed. This method does not improve the signal-to-noise ratio or deal with the root cause.