Automatically Isolate Compromised EC2 Instances with GuardDuty

Imagine your AWS environment as a bustling city. Your EC2 instances are the vital infrastructure — hospitals, power plants, and data centers — that keep everything running smoothly. Amazon GuardDuty acts as your city’s vigilant surveillance system, always on the lookout for any suspicious activity. But once a threat is spotted, what’s the next move?

I’m here to show you a straightforward way to automatically isolate compromised EC2 instances using AWS Lambda and EventBridge. Think of it as deploying a rapid response team that swiftly locks down the affected area, ensuring your critical operations remain unaffected and secure.

What’s the Plan?

1. GuardDuty detects a threat: It sends an alert.
2. EventBridge captures the alert: It triggers a Lambda function.
3. Lambda function acts: It changes the security group of the compromised EC2 instance, isolating it from the network.

Step-by-Step Guide

1. Create a Restricted Security Group

First, create a security group with very restrictive rules to isolate compromised instances.

1. Go to the EC2 Dashboard.
2. Click on Security Groups.
3. Click Create Security Group.
4. Name it something like IsolatedSecurityGroup and add minimal inbound rules.

This group should only allow the bare minimum of traffic.

2. Set Up the Lambda Function

Next, create a Lambda function that will modify the security group of an instance when a threat is detected.

import boto3

def lambda_handler(event, context):
    ec2 = boto3.client('ec2')
    instance_id = event['detail']['resource']['instanceDetails']['instanceId']
    response = ec2.modify_instance_attribute(
        InstanceId=instance_id,
        Groups=['sg-0123456789abcdefg']  # Your restricted security group ID
    )
    print(f"Instance {instance_id} isolated: {response}")

1. Go to the Lambda console.
2. Click Create Function.
3. Choose Author from Scratch.
4. Name your function and choose a runtime (e.g., Python 3.8).
5. Copy and paste the script above.
6. Set up appropriate execution roles for Lambda to modify EC2 attributes.

3. Configure EventBridge Rule

Now, set up EventBridge to trigger the Lambda function when GuardDuty detects a threat.

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{"numeric": [4, 7]}],  # Medium to high severity
    "resource": {
      "resourceType": ["Instance"]
    }
  }
}

1. Go to the EventBridge console.
2. Click Create Rule.
3. Define your rule and select GuardDuty as the event source.
4. Paste the JSON above in the event pattern.
5. Set the target as your Lambda function.

With this setup, whenever GuardDuty detects a threat, EventBridge will signal Lambda to isolate the compromised instance.

It’s a quite simple but with this automation in place, you’ve essentially created a digital fortress that quickly responds to threats. No more worries about compromised instances — your AWS environment is now equipped to handle any intrusions swiftly and effectively.

Feel free to share this guide with your team and colleagues. If you found this helpful, don’t forget to clap and spread the word. Together, we can make the cloud a safer place!

Happy securing! 🚀🔒👏