Implementing AWS GuardDuty with Automated Threat Response

AWS GuardDuty is a managed threat detection service that continuously monitors your AWS accounts for malicious activity and unauthorized behavior. It analyzes CloudTrail management events, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds to surface findings like cryptocurrency mining, data exfiltration attempts, compromised EC2 instances, and exposed AWS credentials.

The real power of GuardDuty comes not from detection alone, but from automated remediation. When GuardDuty raises a finding, it publishes an event to Amazon EventBridge. You can build event-driven automation that responds to threats in seconds rather than waiting for a human to review a dashboard. For a HIGH severity finding like an EC2 instance communicating with a known command-and-control server, the automated response should: isolate the instance by replacing its security group with a quarantine group, take an EBS snapshot for forensics, and page the on-call engineer via PagerDuty or SNS.

The architecture below implements this automated response loop entirely in Terraform. GuardDuty findings flow through EventBridge into a Lambda function that evaluates severity, and for HIGH/CRITICAL findings automatically applies a deny-all quarantine security group to the affected instance — containing the blast radius within seconds of detection.

resource "aws_guardduty_detector" "main" {
  enable = true

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }
}

# EventBridge rule for HIGH/CRITICAL findings
resource "aws_cloudwatch_event_rule" "guardduty_high" {
  name = "guardduty-high-severity"

  event_pattern = jsonencode({
    source      = ["aws.guardduty"]
    detail-type = ["GuardDuty Finding"]
    detail = {
      severity = [{ numeric = [">=", 7] }]
    }
  })
}

# Route findings to Lambda for automated remediation
resource "aws_cloudwatch_event_target" "remediate" {
  rule = aws_cloudwatch_event_rule.guardduty_high.name
  arn  = aws_lambda_function.threat_response.arn
}

# Quarantine security group — denies all ingress/egress
resource "aws_security_group" "quarantine" {
  name        = "quarantine-no-traffic"
  description = "Applied by GuardDuty automation — denies all traffic"
  vpc_id      = aws_vpc.main.id
}