BlogCloud

Threat detection on AWS with GuardDuty and EventBridge

Turn on GuardDuty across the org and route high-severity findings to Slack and auto-remediation with EventBridge.

Feb 11, 2025·10 min readAdvanced

GuardDuty is AWS threat detection you turn on rather than build. It watches CloudTrail, VPC flow logs, and DNS for known-bad behavior — credential exfiltration, crypto-mining, calls to C2 domains — and emits findings. The work is org-wide enablement and routing findings somewhere humans (or automation) act on them.

bash — a findinglive
aws guardduty list-findings --detector-id abc
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
role creds used from 203.0.113.9 (outside your accounts)

Enable across the whole org

Delegate GuardDuty to a security account and auto-enroll every member account, including new ones — one blind spot is all an attacker needs.

bash
aws guardduty enable-organization-admin-account \
--admin-account-id 222233334444
# then: auto-enable for all existing + new member accounts

Route findings to action

eventbridge.json
{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": { "severity": [{ "numeric": [">=", 7] }] }
}
Only page on high severity
Filter to severity >= 7 for pages and send the rest to a dashboard. Auto-remediate the unambiguous ones (isolate an instance, revoke a session) with a Lambda target.
Go deeper in a courseAWS security for DevOps engineersDetection, IAM, and org-wide guardrails on AWS.View course

Related posts