mrxpl0it
commented
5 years ago I would be interested in seeing this CFN if you are willing to share.
Open phillisf opened 5 years ago
mrxpl0it
commented
5 years ago I would be interested in seeing this CFN if you are willing to share.
Riddhisri
commented
4 years ago Please share if it is fine by you.
phillisf
commented
3 years ago Oh sorry, I didn't see these responses. Yes, let me share it here next week. Thanks for responding.
Hello, I have a solution that takes incidents in GuardDuty, fed into CloudWatch Events and using an Event Rule, triggers an SNS notification and fires a Lambda function that drops a ring fence security group around the instance and tags it as quarantined. This is based on a session that I have been running with AWS customers in ANZ and the feedback has been positive. I use the session to highlight some other nice features in CloudWatch Events, such as applying transforms and customizing SNS messages based on the JSON input received in the event and filtering options when creating CloudWatch Events rules for GuardDuty events.
I've been working with a colleague who has packaged this up into a CloudFormation template, and we've also incorporated the high-level design schematic that I use in the aforementioned presentation.
We'd like to contribute this solution to this repository, as it seems like the most logical home for it.
Please let me know if you need additional information, files, etc.