Skip to content

guardduty-file-modification-sfn-response-cdk: Automated incident response for GuardDuty findings#3229

Open
NithinChandranR-AWS wants to merge 1 commit into
aws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-guardduty-file-modification-sfn-response-cdk
Open

guardduty-file-modification-sfn-response-cdk: Automated incident response for GuardDuty findings#3229
NithinChandranR-AWS wants to merge 1 commit into
aws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-guardduty-file-modification-sfn-response-cdk

Conversation

@NithinChandranR-AWS

@NithinChandranR-AWS NithinChandranR-AWS commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Description

Detect sensitive file modifications with Amazon GuardDuty, classify severity, and auto-isolate compromised instances via AWS Step Functions and AWS Lambda.

Architecture

Amazon GuardDuty → Amazon EventBridge → AWS Step Functions (severity classification) → Response actions:

  • HIGH (≥7): AWS Lambda isolates instance (replace security group, forensic EBS snapshot, tag) + Amazon SNS alert
  • MEDIUM (4-6): Amazon SNS notification only
  • LOW (<4): Log only

What makes this different from existing guardduty-malware-s3

Aspect guardduty-malware-s3 (existing) This pattern
Scope S3 object malware scanning Host-level runtime threat detection
Response Notify only (SNS) Orchestrated: isolate + snapshot + tag + notify
Framework SAM AWS CDK
Orchestration None AWS Step Functions with severity classification
Services 3 (GuardDuty, EventBridge, SNS) 6 (GuardDuty, EventBridge, SFN, Lambda, SNS, EC2)

Deployed and Tested

Stack deploys in us-east-1 (~130s). 13 CloudFormation resources created including the EventBridge rule matching GuardDuty file modification and unauthorized access findings.

…t response

Automated incident response for Amazon GuardDuty sensitive file
modification findings. AWS Step Functions classifies severity and routes:
HIGH (>=7) -> AWS Lambda isolates instance (replace SG, forensic
snapshot, tag) + Amazon SNS alert. MEDIUM -> notify only. LOW -> log.

6 services composed: Amazon GuardDuty, Amazon EventBridge, AWS Step
Functions, AWS Lambda, Amazon SNS, Amazon EC2. Fundamentally different
from existing guardduty-malware-s3 (S3 object scanning, SAM, notify
only). This pattern handles host-level runtime threats with automated
orchestrated response.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants