Cloud Security Automation — Event-Driven Remediation & GuardDuty Guide
In this tutorial, you'll learn about Cloud Security Automation. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud Security automation uses event-driven architectures to detect and remediate security threats without human intervention, combining cloud detection services like GuardDuty with Serverless functions that isolate resources, revoke access, and enforce policies automatically.
What You Will Learn
How to build automated security response workflows using AWS EventBridge with Lambda, Azure Logic Apps with Sentinel, and GCP Cloud Functions with Security Command Center.
Why It Matters
Manual Incident Response takes minutes to hours. Automated response takes seconds. For cloud threats like compromised IAM keys or public storage buckets, every second matters.
Real-World Use
DodaTech's security automation platform triggers a Lambda function when GuardDuty detects a crypto mining alert. The Lambda function isolates the EC2 instance by replacing its security group, creates a forensic snapshot, and disables any access keys created in the last hour — all within 10 seconds.
Automation Architecture
flowchart LR Detection["Detection Service\nGuardDuty / Sentinel / SCC"] --> Event["Event Bus\nEventBridge / Azure Monitor / PubSub"] Event --> Function["Automation Function\nLambda / Logic App / Cloud Function"] Function --> Isolate["Isolate Resource\nSecurity Group / NSG"] Function --> Snapshot["Forensic Snapshot\nEBS / Disk Snapshot"] Function --> Revoke["Revoke Credentials\nIAM Key / SAS Token"] Function --> Notify["Notify Team\nSlack / PagerDuty / Email"] Function --> Remediate["Enforce Policy\nEnable Encryption / Block Public Access"] style Function fill:#f90,color:#fff style Detection fill:#e00,color:#fff
AWS Automation with EventBridge and Lambda
EventBridge listens for GuardDuty, Security Hub, and Macie findings and routes them to Lambda functions for remediation.
# Create a Lambda function to isolate an EC2 instance
aws lambda create-function \
--function-name isolate-instance \
--runtime python3.11 \
--role arn:aws:iam::123456789012:role/lambda-isolate-role \
--handler isolate.lambda_handler
# Create an EventBridge rule for GuardDuty findings
aws events put-rule \
--name guardduty-auto-remediate \
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [{"numeric": [">=", 7]}],
"type": [{"prefix": "UnauthorizedAccess"}]
}
}'
# Route the rule to the Lambda function
aws events put-targets \
--rule guardduty-auto-remediate \
--targets '[
{
"Id": "isolate-instance-lambda",
"Arn": "arn:aws:lambda:us-east-1:123456789012:function:isolate-instance]
}
]'
# List all EventBridge rules for security
aws events list-rules \
--query 'Rules[?contains(Name, `security`) || contains(Name, `guardduty`) || contains(Name, `remediate`)].[Name,State]' \
--output table
# Output:
# --------------------------------
# | Name | State |
# | guardduty-auto-remediate | ENABLED |
# | securityhub-compliance | ENABLED |
# | s3-public-check | ENABLED |
# --------------------------------
Lambda function code for instance isolation (body shown as concept):
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
detail = event['detail']
instance_id = detail.get('resource', {}).get('instanceDetails', {}).get('instanceId')
if not instance_id:
return {'status': 'no_instance_found'}
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=['sg-isolation', 'sg-forensic']
)
ec2.create_snapshot(
VolumeId=detail['resource']['instanceDetails']['ebsVolumes'][0]['volumeId'],
Description=f'Forensic snapshot for GuardDuty finding {detail.get("id")}'
)
return {'status': 'isolated', 'instance_id': instance_id}
Azure Automation with Logic Apps
Azure Logic Apps provides drag-and-drop automation triggered by Sentinel alerts.
# Create a Logic App for security automation
az logic workflow create \
--resource-group prod-rg \
--name security-auto-remediate \
--definition security-workflow.json
# security-workflow.json (simplified):
# {
# "triggers": {
# "SentinelAlert": {
# "type": "ApiConnection",
# "inputs": {
# "host": {"connection": {"name": "sentinel"}},
# "method": "get",
# "path": "/alert"
# }
# }
# },
# "actions": {
# "IsolateVM": {
# "type": "ApiConnection",
# "inputs": {
# "host": {"connection": {"name": "azurevm"}},
# "method": "post",
# "path": "/subscriptions/.../virtualMachines/prod-vm/deallocate"
# }
# },
# "NotifySlack": {
# "type": "ApiConnection",
# "inputs": {
# "host": {"connection": {"name": "slack"}},
# "method": "post",
# "path": "/messages",
# "body": {"text": "VM isolated due to security alert"}
# }
# }
# }
# }
# Enable the Logic App
az logic workflow enable --resource-group prod-rg --name security-auto-remediate
GCP Automation with Cloud Functions and SCC
Cloud Functions subscribe to PubSub topics that receive Security Command Center findings.
# Create a PubSub topic for SCC findings
gcloud pubsub topics create scc-findings
# Configure SCC to publish findings to PubSub
gcloud scc notifications create scc-pubsub-notification \
--organization 123456789012 \
--pubsub-topic projects/my-project/topics/scc-findings \
--filter 'category="OPEN_FIREWALL" OR category="PUBLIC_BUCKET_ACCESS"'
# Create a Cloud Function to auto-remediate
gcloud functions deploy auto-remediate \
--runtime python311 \
--trigger-topic scc-findings \
--entry-point remediate \
--service-account auto-remediate-sa@my-project.iam.gserviceaccount.com
# View function logs
gcloud functions logs read auto-remediate \
--limit 10
# Output:
# 2026-06-24T10:00:00Z auto-remediate Processing finding: OPEN_FIREWALL
# 2026-06-24T10:00:01Z auto-remediate Removed public access on firewall default-allow-ssh
Step Functions and Approval Gates
For destructive actions, add an approval step before execution. Use Step Functions or Logic Apps with manual approval.
Common Mistakes
- Automated remediation without approval: Destructive actions (terminating instances, deleting resources) should require human approval. Use approval gates for high-risk actions.
- No error handling: Automation functions fail. Implement retry logic, dead-letter queues, and failure notifications.
- Overly broad automation triggers: An EventBridge rule that fires on every GuardDuty finding floods the team. Scope to high-severity findings only.
- Testing in production: Automation workflows should be tested in a sandbox environment first. A buggy automation can cause widespread disruption.
- No audit trail for automated actions: Every automated action must be logged. Route automation results to CloudTrail or audit log buckets.
Practice Questions
- How does EventBridge trigger Lambda for security automation?
- What is the role of Logic Apps in Azure security automation?
- How can GCP Cloud Functions respond to SCC findings?
- Why should destructive automated actions require approval?
- How can you ensure automated actions are auditable?
Challenge
Build an automated security response system. Create an EventBridge rule that triggers on GuardDuty findings with severity 7 or higher. Write a Lambda function that isolates the affected resource, creates a forensic snapshot, and disables compromised credentials. Add a Step Function that requests human approval before terminating any resources. Deploy the equivalent workflow using Azure Logic Apps and GCP Cloud Functions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro