BlogCloud
Threat detection on AWS with GuardDuty and EventBridge
Turn on GuardDuty across the org and route high-severity findings to Slack and auto-remediation with EventBridge.
GuardDuty is AWS threat detection you turn on rather than build. It watches CloudTrail, VPC flow logs, and DNS for known-bad behavior — credential exfiltration, crypto-mining, calls to C2 domains — and emits findings. The work is org-wide enablement and routing findings somewhere humans (or automation) act on them.
aws guardduty list-findings --detector-id abcUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration role creds used from 203.0.113.9 (outside your accounts)Enable across the whole org
Delegate GuardDuty to a security account and auto-enroll every member account, including new ones — one blind spot is all an attacker needs.
bash
aws guardduty enable-organization-admin-account \--admin-account-id 222233334444# then: auto-enable for all existing + new member accounts
Route findings to action
eventbridge.json
{"source": ["aws.guardduty"],"detail-type": ["GuardDuty Finding"],"detail": { "severity": [{ "numeric": [">=", 7] }] }}
Only page on high severity
Filter to severity >= 7 for pages and send the rest to a dashboard. Auto-remediate the unambiguous ones (isolate an instance, revoke a session) with a Lambda target.