Lab: Implementing Automated Security Monitoring and Alerting with Amazon GuardDuty
Design and implement monitoring and alerting solutions for an AWS account or organization
Lab: Implementing Automated Security Monitoring and Alerting with Amazon GuardDuty
This hands-on lab guides you through the process of designing and implementing a centralized monitoring and alerting solution using Amazon GuardDuty, Amazon EventBridge, and Amazon Simple Notification Service (SNS). This architecture is a foundational component for the AWS Certified Security - Specialty (SCS-C03) curriculum.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges. GuardDuty offers a 30-day free trial, but SNS and EventBridge may incur costs depending on usage.
Prerequisites
To successfully complete this lab, you will need:
- An AWS Account with
AdministratorAccessor equivalent permissions. - AWS CLI installed and configured on your local machine.
- A valid email address to receive security alerts.
- Basic familiarity with the AWS Management Console and JSON syntax.
Learning Objectives
By the end of this lab, you will be able to:
- Enable Amazon GuardDuty to monitor for malicious activity and unauthorized behavior.
- Create an SNS Topic and subscription to facilitate automated notifications.
- Configure EventBridge Rules to filter GuardDuty findings and route them to targets.
- Test the alerting pipeline using sample findings to ensure the solution functions as designed.
Architecture Overview
The following diagram illustrates the flow of security events from detection to notification:
Step-by-Step Instructions
Step 1: Enable Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity.
# Create a detector for the current region
aws guardduty create-detector --enable▶Console Alternative
- Navigate to the Amazon GuardDuty console.
- Click Get Started.
- Click Enable GuardDuty.
Step 2: Create an SNS Topic for Security Alerts
We need a communication channel to broadcast findings to the security team.
# Create the SNS Topic
aws sns create-topic --name "brainybee-security-alerts"[!NOTE] Take note of the
TopicArnreturned in the output. You will need it for the next steps.
Step 3: Subscribe an Email to the SNS Topic
Replace <YOUR_EMAIL> with your actual email address and <TOPIC_ARN> with the ARN from Step 2.
aws sns subscribe \
--topic-arn <TOPIC_ARN> \
--protocol email \
--notification-endpoint <YOUR_EMAIL>[!IMPORTANT] Check your email inbox and click Confirm Subscription in the email sent by AWS. The status must be "Confirmed" for alerts to be delivered.
▶Console Alternative
- Go to Simple Notification Service > Topics.
- Select
brainybee-security-alerts. - Click Create subscription.
- Protocol: Email; Endpoint: your email address.
- Check your inbox and confirm the subscription.
Step 4: Create an EventBridge Rule for GuardDuty Findings
We will create a rule that triggers whenever GuardDuty generates a finding with a severity level of "High" (severity >= 7.0).
# Create the rule
aws events put-rule \
--name "GuardDutyHighSeverityRule" \
--event-pattern '{"source":["aws.guardduty"],"detail-type":["GuardDuty Finding"],"detail":{"severity":[7, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9]}}' \
--state ENABLEDNow, add the SNS topic as the target for this rule:
aws events put-targets \
--rule "GuardDutyHighSeverityRule" \
--targets "Id"="1","Arn"="<TOPIC_ARN>"Step 5: Test the Alerting Pipeline
Since we don't want to actually attack our account, we will generate a sample finding to trigger the rule.
# Get your Detector ID
DETECTOR_ID=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
# Generate sample findings
aws guardduty create-sample-findings \
--detector-id $DETECTOR_ID \
--finding-types "Backdoor:EC2/C&CActivity.B!DNS"Checkpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| SNS Subscription | Check SNS console | Subscription status should be Confirmed. |
| EventBridge Rule | Run aws events list-rules | GuardDutyHighSeverityRule should be in the list. |
| Alert Receipt | Check your email | You should receive a JSON-formatted email from SNS within 5 minutes. |
Troubleshooting
| Error/Issue | Common Cause | Fix |
|---|---|---|
| No email received | Subscription not confirmed | Check your spam folder and confirm the SNS subscription. |
| EventBridge target fails | Missing SNS Resource Policy | Ensure SNS allows EventBridge to publish. Add a policy allowing events.amazonaws.com to sns:Publish. |
| GuardDuty sample fails | Incorrect Detector ID | Run aws guardduty list-detectors to verify you are using the correct ID for your region. |
Clean-Up / Teardown
To avoid ongoing costs, delete the resources created during this lab.
# 1. Delete the EventBridge Target and Rule
aws events remove-targets --rule "GuardDutyHighSeverityRule" --ids "1"
aws events delete-rule --name "GuardDutyHighSeverityRule"
# 2. Delete the SNS Topic (This also deletes subscriptions)
aws sns delete-topic --topic-arn <TOPIC_ARN>
# 3. Disable GuardDuty
aws guardduty delete-detector --detector-id $DETECTOR_IDConcept Review
This lab implemented a reactive detection pattern. In a production environment, you might consider these alternatives:
| Feature | GuardDuty + SNS (This Lab) | Security Hub + Step Functions |
|---|---|---|
| Primary Goal | Simple Notification | Automated Remediation |
| Complexity | Low | High |
| Use Case | Informing a human admin | Isolating a compromised EC2 instance automatically |