Skip to content

Getting Hands on with Amazon GuardDuty


This repository walks you through a scenario covering threat detection and remediation using Amazon GuardDuty; a managed threat detection service. The scenario simulates an attack that spans a few threat vectors, representing just a small sample of the threats that GuardDuty is able to detect.

In addition, you will look at how to view and analyze GuardDuty findings, how to send alerts based on the findings, and, finally, how to remediate findings.

The AWS CloudFormation template used for this scenario builds out the resources needed to simulate attacks and auto-remediate the GuardDuty findings using a combination of CloudWatch Event Rules and AWS Lambda Functions.

  • Level: 300
  • Duration: 1-2 hours
  • Prerequisites: AWS Account, Admin IAM User, AWS CLI
  • CSF Functions: Protect, Detect, Respond
  • CAF Components: Preventative, Detective, Responsive
  • AWS Services: Amazon CloudWatch, Amazon GuardDuty, AWS CloudTrail, AWS Lambda, Security Groups, Amazon SNS


Please use the us-west-2 (Oregon) region for this workshop.


Overview and Environment Setup


This workshop is broken up into the three scenarios below:

  1. Compromised EC2 Instance

    We will detect and remediate a compromised host using Amazon GuardDuty, Amazon CloudWatch Event Rules and AWS Lambda.

  2. Compromised IAM Credentials

    We will identify a malicious host attempting to make API calls inside our AWS environment and remediate the host manually.

  3. IAM Role Exfiltration

    We will identity that credentials have been exfiltrated from a compromised host and identify the API calls taken from an external host using those credentials. In addition we will review the automated remediation taken through AWS Lambda.

  4. Compromised S3 Bucket

    We will identity a malicious host attempting to make S3 API calls inside our AWS environment and remediate the host manually.


Summary and Environment Cleanup