This project demonstrates a cloud-native threat detection and automated response workflow built on AWS. The lab uses AWS security services to detect suspicious activity, route findings through EventBridge, send alerts through SNS, and trigger a Lambda function for automated remediation actions.
The goal of this project is to demonstrate how cloud security teams can combine detection engineering, incident response, Infrastructure-as-Code, and automation to improve visibility and reduce response time in AWS environments.
- Cloud-native threat detection workflow
- Event-driven security automation
- Terraform and CloudFormation deployments
- Lambda-based remediation
- GuardDuty and Security Hub integration
- SNS alert notifications
- CloudTrail audit logging
CloudTrail / GuardDuty / Security Hub
↓
Amazon EventBridge Rules
↓
AWS Lambda Remediation Function
↓
Amazon SNS Email Alerts
The workflow is designed to simulate a cloud-native security operations pipeline:
- CloudTrail records AWS API activity
- GuardDuty detects suspicious behavior
- Security Hub centralizes security findings
- EventBridge matches security findings
- Lambda performs automated remediation logic
- SNS sends email alert notifications
- AWS CloudTrail
- Amazon GuardDuty
- AWS Security Hub
- Amazon EventBridge
- AWS Lambda
- Amazon SNS
- AWS IAM
- Amazon CloudWatch
- Amazon S3
- AWS
- Terraform
- CloudFormation
- Python
- Infrastructure-as-Code (IaC)
- Event-Driven Architecture
- Security Automation
- Cloud threat detection
- Event-driven security automation
- GuardDuty finding response
- Security Hub alert aggregation
- IAM least privilege
- Automated incident response
- CloudTrail audit logging
- SNS alerting
- Lambda-based remediation
- Infrastructure-as-Code deployment
aws-cloud-threat-detection-lab/
│
├── README.md
│
├── cloudformation/
│ └── aws-threat-detection-lab.yaml
│
├── terraform/
│ ├── README.md
│ ├── main.tf
│ ├── provider.tf
│ ├── variables.tf
│ ├── outputs.tf
│ ├── terraform.tfvars
│ └── lambda/
│ └── remediation_function.py
│
├── architecture/
│ └── aws-threat-detection-architecture.png
│
├── lambda/
│ └── remediation_function.py
│
├── screenshots/
│ ├── cloudformation-stack.png
│ ├── cloudtrail-events.png
│ ├── cloudwatch-logs.png
│ ├── eventbridge-rule.png
│ ├── guardduty-findings.png
│ ├── lambda-remediation.png
│ ├── security-hub.png
│ └── sns-alert.png
│
├── policies/
│ └── lambda-remediation-policy.json
│
└── .gitignore
The included Lambda function parses GuardDuty and Security Hub findings, extracts key event details, logs the event, and publishes notifications through SNS.
Potential remediation actions include:
- Quarantining suspicious EC2 instances
- Disabling exposed IAM access keys
- Removing public S3 bucket permissions
- Tagging suspicious resources for investigation
- Creating incident response tickets
A suspicious AWS activity finding is generated by GuardDuty.
GuardDuty creates a finding and sends it to EventBridge.
EventBridge matches the finding pattern and triggers the Lambda remediation function.
Lambda logs the finding details and publishes an SNS alert.
SNS sends the alert to subscribed email endpoints.
This repository includes a CloudFormation deployment option:
cloudformation/aws-threat-detection-lab.yaml
The CloudFormation template deploys:
- SNS topic and email subscription
- Lambda remediation function
- IAM role and permissions
- EventBridge rules
- Optional CloudTrail trail and encrypted S3 log bucket
- Open AWS CloudFormation
- Choose Create Stack
- Upload aws-threat-detection-lab.yaml
- Enter your email address for alerts
- Confirm the SNS subscription email
aws cloudformation create-stack \
--stack-name aws-cloud-threat-detection-lab \
--template-body file://cloudformation/aws-threat-detection-lab.yaml \
--parameters ParameterKey=AlertEmail,ParameterValue=your-email@example.com \
--capabilities CAPABILITY_NAMED_IAMThis repository also includes a Terraform deployment option:
terraform/
The Terraform deployment provisions:
- GuardDuty detector
- Security Hub integration
- SNS alerting
- Lambda remediation function
- IAM roles and policies
- EventBridge rules
- Optional CloudTrail logging infrastructure
- Navigate to the Terraform folder
cd terraform- Initialize Terraform
terraform init- Review the execution plan
terraform plan- Deploy infrastructure
terraform apply- Confirm the SNS email subscription
- Add automated EC2 quarantine workflow
- Add Slack or Microsoft Teams alerting
- Add ticket creation through Jira or ServiceNow
- Add Security Hub custom actions
- Add AWS Config compliance rules
- Add CloudWatch security dashboards
Ibaad Shaikh