IbaadShaikh/aws-cloud-threat-detection-lab

# AWS Cloud Threat Detection Lab ## Project Overview This project demonstrates a cloud-native threat detection and automated response workflow built on AWS. The lab uses AWS security services to detect suspicious activity, route findings through EventBridge, send alerts through SNS, and trigger a Lambda function for automated remediation actions. The goal of this project is to demonstrate how cloud security teams can combine detection engineering, incident response, Infrastructure-as-Code, and automation to improve visibility and reduce response time in AWS environments. ## Features - Cloud-native threat detection workflow - Event-driven security automation - Terraform and CloudFormation deployments - Lambda-based remediation - GuardDuty and Security Hub integration - SNS alert notifications - CloudTrail audit logging ## Architecture Overview CloudTrail / GuardDuty / Security Hub ↓ Amazon EventBridge Rules ↓ AWS Lambda Remediation Function ↓ Amazon SNS Email Alerts The workflow is designed to simulate a cloud-native security operations pipeline: - CloudTrail records AWS API activity - GuardDuty detects suspicious behavior - Security Hub centralizes security findings - EventBridge matches security findings - Lambda performs automated remediation logic - SNS sends email alert notifications ## Architecture Diagram  ## AWS Services Used - AWS CloudTrail - Amazon GuardDuty - AWS Security Hub - Amazon EventBridge - AWS Lambda - Amazon SNS - AWS IAM - Amazon CloudWatch - Amazon S3 ## Technologies Used - AWS - Terraform - CloudFormation - Python - Infrastructure-as-Code (IaC) - Event-Driven Architecture - Security Automation ## Key Security Concepts Demonstrated - Cloud threat detection - Event-driven security automation - GuardDuty finding response - Security Hub alert aggregation - IAM least privilege - Automated incident response - CloudTrail audit logging - SNS alerting - Lambda-based remediation - Infrastructure-as-Code deployment ## Repository Structure aws-cloud-threat-detection-lab/ │ ├── README.md │ ├── cloudformation/ │ └── aws-threat-detection-lab.yaml │ ├── terraform/ │ ├── README.md │ ├── main.tf │ ├── provider.tf │ ├── variables.tf │ ├── outputs.tf │ ├── terraform.tfvars │ └── lambda/ │ └── remediation_function.py │ ├── architecture/ │ └── aws-threat-detection-architecture.png │ ├── lambda/ │ └── remediation_function.py │ ├── screenshots/ │ ├── cloudformation-stack.png │ ├── cloudtrail-events.png │ ├── cloudwatch-logs.png │ ├── eventbridge-rule.png │ ├── guardduty-findings.png │ ├── lambda-remediation.png │ ├── security-hub.png │ └── sns-alert.png │ ├── policies/ │ └── lambda-remediation-policy.json │ └── .gitignore ## Lambda Remediation Logic The included Lambda function parses GuardDuty and Security Hub findings, extracts key event details, logs the event, and publishes notifications through SNS. Potential remediation actions include: - Quarantining suspicious EC2 instances - Disabling exposed IAM access keys - Removing public S3 bucket permissions - Tagging suspicious resources for investigation - Creating incident response tickets ## Example Detection Flow ### Scenario A suspicious AWS activity finding is generated by GuardDuty. ### Detection GuardDuty creates a finding and sends it to EventBridge. ### Routing EventBridge matches the finding pattern and triggers the Lambda remediation function. ### Response Lambda logs the finding details and publishes an SNS alert. ### Notification # CloudFormation Deployment This repository includes a CloudFormation deployment option: cloudformation/aws-threat-detection-lab.yaml The CloudFormation template deploys: - SNS topic and email subscription - Lambda remediation function - IAM role and permissions - EventBridge rules - Optional CloudTrail trail and encrypted S3 log bucket ### Deploy Using AWS Console 1. Open AWS CloudFormation 2. Choose Create Stack 3. Upload aws-threat-detection-lab.yaml 4. Enter your email address for alerts 5. Confirm the SNS subscription email ### Deploy Using AWS CLI aws cloudformation create-stack \ --stack-name aws-cloud-threat-detection-lab \ --template-body file://cloudformation/aws-threat-detection-lab.yaml \ --parameters ParameterKey=AlertEmail,ParameterValue=your-email@example.com \ --capabilities CAPABILITY_NAMED_IAM # Terraform Deployment This repository also includes a Terraform deployment option: terraform/ The Terraform deployment provisions: - GuardDuty detector - Security Hub integration - SNS alerting - Lambda remediation function - IAM roles and policies - EventBridge rules - Optional CloudTrail logging infrastructure ### Deploy Using Terraform 1. Navigate to the Terraform folder cd terraform 2. Initialize Terraform terraform init 3. Review the execution plan terraform plan 4. Deploy infrastructure terraform apply 5. Confirm the SNS email subscription ## Screenshots ### GuardDuty Findings  ### EventBridge Rules  ### Lambda Remediation Function  ### CloudWatch Logs  ### CloudTrail Event History  ### CloudFormation Stack Deployment  ### SNS Alert Configuration  ## Future Improvements - Add automated EC2 quarantine workflow - Add Slack or Microsoft Teams alerting - Add ticket creation through Jira or ServiceNow - Add Security Hub custom actions - Add AWS Config compliance rules - Add CloudWatch security dashboards ## Author **Ibaad Shaikh**