This project sets up an automated cloud security response pipeline using:
- Amazon GuardDuty to detect threats like port scanning, credential compromise, or unusual activity
- Amazon SNS to send real-time alert notifications
- EventBridge to route GuardDuty findings
- (Optional) AWS Lambda to automatically quarantine EC2 instances
- IAM to secure access across services
Diagram: GuardDuty triggers EventBridge, which notifies SNS. Lambda optionally stops the affected EC2.
guardduty-threat-detection/
βββ README.md
βββ architecture/
β βββ guardduty-sns-architecture.png
βββ eventbridge/
β βββ cloudwatch-event-pattern.json
βββ sns/
β βββ sns-setup-instructions.md
βββ iam/
β βββ guardduty-sns-lambda-policy.json
βββ lambda/
β βββ quarantine-instance.py
π Setup Guide
β
Step 1: Enable GuardDuty
Go to AWS Console β GuardDuty β Click Enable
Wait for service to initialize and start scanning
β
Step 2: Create SNS Topic
See sns/sns-setup-instructions.md
β
Step 3: Create EventBridge Rule
Use the pattern in eventbridge/cloudwatch-event-pattern.json
Target = SNS Topic
β
Step 4: Add IAM Role
Use the policy in iam/guardduty-sns-lambda-policy.json
Attach it to the Lambda function (if used)
β
Step 5: (Optional) Deploy Lambda
Deploy lambda/quarantine-instance.py
Triggered via EventBridge
Stops the compromised EC2 instance
π§° Tools & Services
Tool Purpose
GuardDuty Threat Detection
SNS Alert Delivery
EventBridge Trigger GuardDuty Alerts
Lambda Auto-Remediation (optional)
IAM Secure Permissions
π Status
β
MVP Complete
π Optional: Add Power BI dashboard for alert trends
π Improvements coming soon
πΌ Author
Wilfredo Rodriguez
AWS | Cloud Security | Automation