AWS GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Think of GuardDuty as a security analyst who never sleeps — it watches your VPC flow logs, CloudTrail events, and DNS queries 24/7, looking for patterns that indicate compromise: crypto-mining on your EC2 instances, data exfiltration from S3, brute-force attempts against your databases, or API calls from known malicious IP addresses. The key advantage over building your own detection: GuardDuty uses machine learning trained on threat intelligence from across all of AWS, which means it catches threats most custom rule-based systems would miss.What You’ll Learn:
# remediation.pyimport boto3import jsonec2 = boto3.client('ec2')iam = boto3.client('iam')def lambda_handler(event, context): finding = event['detail'] finding_type = finding['type'] severity = finding['severity'] print(f"Processing: {finding_type} (severity: {severity})") # Compromised EC2 instance if 'EC2' in finding_type and severity >= 7: instance_id = finding['resource']['instanceDetails']['instanceId'] isolate_instance(instance_id) # Compromised IAM credentials if 'IAMUser' in finding_type and 'UnauthorizedAccess' in finding_type: access_key = finding['resource']['accessKeyDetails']['accessKeyId'] disable_access_key(access_key) # Compromised S3 bucket if 'S3' in finding_type and 'Exfiltration' in finding_type: bucket_name = finding['resource']['s3BucketDetails']['name'] block_public_access(bucket_name) return {'statusCode': 200}def isolate_instance(instance_id): """Move instance to isolation security group. This is the most critical remediation action: replace ALL security groups with an isolation SG that has NO ingress or egress rules. The instance stays running (for forensic analysis) but cannot communicate with anything. Common mistake: terminating the instance immediately. This destroys evidence. Always isolate first, snapshot the volumes for forensics, THEN terminate after your investigation is complete. """ print(f"Isolating instance: {instance_id}") # Create or get isolation security group isolation_sg = get_isolation_sg() # Get current security groups response = ec2.describe_instances(InstanceIds=[instance_id]) instance = response['Reservations'][0]['Instances'][0] vpc_id = instance['VpcId'] # Replace with isolation SG ec2.modify_instance_attribute( InstanceId=instance_id, Groups=[isolation_sg] ) # Create snapshot for forensics for volume in instance.get('BlockDeviceMappings', []): if 'Ebs' in volume: volume_id = volume['Ebs']['VolumeId'] ec2.create_snapshot( VolumeId=volume_id, Description=f'Forensic snapshot for {instance_id}', TagSpecifications=[{ 'ResourceType': 'snapshot', 'Tags': [ {'Key': 'Forensic', 'Value': 'true'}, {'Key': 'InstanceId', 'Value': instance_id} ] }] )def disable_access_key(access_key_id): """Disable compromised access key""" print(f"Disabling access key: {access_key_id}") # Find the user response = iam.list_access_keys() # Can also use get-access-key-last-used to find user # Then disable the key iam.update_access_key( AccessKeyId=access_key_id, Status='Inactive' )def block_public_access(bucket_name): """Block public access to bucket""" s3 = boto3.client('s3') s3.put_public_access_block( Bucket=bucket_name, PublicAccessBlockConfiguration={ 'BlockPublicAcls': True, 'IgnorePublicAcls': True, 'BlockPublicPolicy': True, 'RestrictPublicBuckets': True } )def get_isolation_sg(): """Get or create isolation security group""" # Implementation to create/get SG with no ingress/egress pass
# Enable Security Hub integrationResources: SecurityHub: Type: AWS::SecurityHub::Hub Properties: Tags: Environment: Production # GuardDuty automatically sends findings to Security Hub # when both are enabled in the same region
Centralize management with a delegated administrator account
Automate Response
Use EventBridge + Lambda for automated remediation
Tune Carefully
Use suppression rules sparingly — every suppressed finding type is a blind spot. Document the business justification for each suppression rule and review them quarterly
┌─────────────────────────────────────────────────────────────────────────┐│ GuardDuty Pricing Model │├─────────────────────────────────────────────────────────────────────────┤│ ││ Data Source Pricing Basis ││ ─────────── ───────────── ││ VPC Flow Logs Per GB analyzed (tiered pricing) ││ CloudTrail Events Per million events ││ DNS Logs Per million queries ││ S3 Data Events Per million events ││ EKS Audit Logs Per million events ││ EBS Malware Scan Per GB scanned ││ Runtime Monitoring Per vCPU hour ││ ││ Cost Estimation: ││ ─ Small workload (~100 EC2): $50-100/month ││ ─ Medium workload (~500 EC2): $200-500/month ││ ─ Large enterprise: $1,000-5,000/month ││ ││ Tips: ││ ─ 30-day free trial for new detectors (use this to estimate costs) ││ ─ The biggest cost driver is VPC Flow Log volume -- reduce noise ││ by using VPC endpoints (traffic to AWS services stays off flow logs)││ ─ Use the GuardDuty usage page to see cost breakdown by data source ││ ─ S3 and EKS protection have separate pricing tiers ││ │└─────────────────────────────────────────────────────────────────────────┘
