Security Incident Response

Description

This project establishes an automated incident response pipeline using Amazon GuardDuty, EventBridge, Lambda, and SNS. When a high-severity threat is detected by GuardDuty, an EventBridge rule triggers a Lambda function that isolates the impacted EC2 instance, applies incident-related tags, and alerts the security team via SNS.

Importance

Rapid detection and automated response are critical for minimizing the impact of security threats. This workflow showcases the ability to build a scalable, real-time incident response system using native AWS tools without human intervention.

Objectives

Detect GuardDuty high-severity threats automatically

Quarantine compromised EC2 instances

Notify the Security Operations team in real time

Log all actions for auditing and forensics

Tech Stack

AWS GuardDuty

Amazon EventBridge

AWS Lambda (Python)

Amazon SNS

AWS CloudWatch

IAM Roles

Architecture Overview

GuardDuty detects suspicious activity

EventBridge filters high-severity findings

Lambda isolates EC2 instances and tags resources

SNS notifies the security team

CloudWatch logs all Lambda execution and API responses

Implantation

1. Enable GuardDuty in all regions and accounts

2. Create EventBridge rule: match severity >= 7

3. Write Lambda function to:

- Detach instance from auto-scaling groups

- Stop or quarantine instance

- Tag the instance (e.g., incident= ASG-EC2)

4. Configure SNS topic and email/SMS subscribers

5. Attach IAM roles with ec2:ModifyInstanceAttribute, sns:Publish

6. Deploy and test using simulated GuardDuty findings

Challenges and Resolutions

Challenge: Ensuring Lambda permissions across accounts

Resolution: Used cross-account IAM roles and trusted policies

Challenge: Avoiding false positives

Resolution: Added whitelisting and severity threshold logic in EventBridge and Lambda