This project, when deployed in an AWS account, will break your application if Amazon GuardDuty detects activity related to running EC2 instances, IAM credentials or S3 buckets. This is by design. Using Amazon GuardDuty, this project will monitor for malicious activity occuring in your account and automatically respond by doing the following:
- If Amazon GuardDuty detects malicious activity on publicly readable S3 buckets, this project will block public access to S3
- If Amazon GuardDuty detects malicious activity on IAM principles, this project will revoke any active sessions.
- If Amazon GuardDuty detects malicious activity on EC2 instances, this project will isolate and quarantine the instance (blocking all traffic to the instance)
Amazon GuardDuty is a regional service, so this project will only monitor resources in the AWS region in which it is deployed.
This project is intended to reduce the blast radius caused by a security event by isolating and quarantining instances as soon as they are detected. No resources are destroyed, so if the event is deemed a false positive, service can be restored.
- Introduction
- Architecture
- Prerequisites
- Tools and services
- Usage
- Clean up
- Reference
- Contributing
- License
This project will set up an automated response workflow for Amazon GuardDuty findings. Currently, EC2 finding types, a subset of S3 finding types and IAM finding types targeting an IAMUser or AssumedRole are supported.
When an EC2 finding is detected, AWS Step Functions is used to execute an AWS Lambda function to gather information and quarantine the EC2 instance:
- Grabs a screenshot from the instance and uploads it to S3
- Captures metadata about the instance and uploads it to S3
- Enables termination protection on the instance
- Ensure Instance Shutdown Behavior is set to “Stop”
- Disable the “DeleteOnTermination” setting for All Attached Volumes
- Tag the instance
- Creates a snapshot of any attached EBS volumes
- Acquire Instance memory (write directly to S3, if possible) [NOTE: Not yet supported]
- Removes any existing IAM instance profiles
- Attaches a new IAM instance profile with AWS Systems Manager Session Manager (SSM) access
- Execute data gathering commands on the instance and upload results to S3 via SSM
- Detach the instance from EC2 autoscaling groups (if applicable)
- Deregister Instance from Load Balancers (if applicable)
- For each Elastic Network Interface (ENI), create a new isolated security group in the ENI's VPC and update the existing ENI's to use new security groups
When an S3 finding is detected, if the effective permissions of the bucket are PUBLIC (we are assuming that all buckets should be private in this environment), AWS Step Functions will call the S3 PutPublicAccessBlock API to make the bucket private.
When an IAM finding is detected, if the identity type is IAMUser, Step Functions attaches a policy named AWSRevokeOlderSessions to the IAM user to revoke any active sessions. If the identity type is AssumedRole, Step Functions attaches a policy named AWSRevokeOlderSessions to the IAM role to revoke any active sessions.
- Python 3, installed
- AWS Command Line Interface (AWS CLI) version 2, installed
- AWS Serverless Application Model (SAM), installed
- Docker Desktop, installed
- AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
- Amazon GuardDuty - Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
- AWS Step Functions - AWS Step Functions is a low-code, visual workflow service that developers use to build distributed applications, automate IT and business processes, and build data and machine learning pipelines using AWS services.
- Amazon EventBridge - Amazon EventBridge is a serverless event bus that makes it easier to build event-driven applications at scale using events generated from your applications, integrated Software-as-a-Service (SaaS) applications, and AWS services.
- AWS Systems Manager Session Manager - Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
| Parameter | Type | Default | Description |
|---|---|---|---|
| GitHubOrg | String | aws-samples | Source code GitHub organization |
| GitHubRepo | String | amazon-guardduty-automated-response-sample | Source code GitHub repository |
The CloudFormation stack must be deployed in the same AWS account and region where a GuardDuty detector has been configured and your EC2 instances are running.
git clone https://github.com/aws-samples/amazon-guardduty-automated-response-sample
cd amazon-guardduty-automated-response-sample
sam build
sam deploy \
--guided \
--tags "GITHUB_ORG=aws-samples GITHUB_REPO=amazon-guardduty-automated-response-sample"
Deleting the CloudFormation Stack will remove the Lambda functions, state machine and EventBridge rules.
sam delete
This solution is inspired by these references:
- Startup Security: Techniques to Stay Secure while Building Quickly (workshop)
- AWS Security Hub Automated Response and Remediation (AWS SHARR)
- How to automate incident response in the AWS Cloud for EC2 instances
- Automated security orchestrator with AWS Step Functions
- Auto Cloud Digital Forensics Incident Response (DFIR)
- AWS Incident Response Playbook Samples
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.