Skip to content

Cloud Security Automation — Event-Driven Remediation & GuardDuty Guide

DodaTech Updated 2026-06-24 5 min read

In this tutorial, you'll learn about Cloud Security Automation. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud Security automation uses event-driven architectures to detect and remediate security threats without human intervention, combining cloud detection services like GuardDuty with Serverless functions that isolate resources, revoke access, and enforce policies automatically.

What You Will Learn

How to build automated security response workflows using AWS EventBridge with Lambda, Azure Logic Apps with Sentinel, and GCP Cloud Functions with Security Command Center.

Why It Matters

Manual Incident Response takes minutes to hours. Automated response takes seconds. For cloud threats like compromised IAM keys or public storage buckets, every second matters.

Real-World Use

DodaTech's security automation platform triggers a Lambda function when GuardDuty detects a crypto mining alert. The Lambda function isolates the EC2 instance by replacing its security group, creates a forensic snapshot, and disables any access keys created in the last hour — all within 10 seconds.

Automation Architecture

flowchart LR
  Detection["Detection Service\nGuardDuty / Sentinel / SCC"] --> Event["Event Bus\nEventBridge / Azure Monitor / PubSub"]
  Event --> Function["Automation Function\nLambda / Logic App / Cloud Function"]
  
  Function --> Isolate["Isolate Resource\nSecurity Group / NSG"]
  Function --> Snapshot["Forensic Snapshot\nEBS / Disk Snapshot"]
  Function --> Revoke["Revoke Credentials\nIAM Key / SAS Token"]
  Function --> Notify["Notify Team\nSlack / PagerDuty / Email"]
  Function --> Remediate["Enforce Policy\nEnable Encryption / Block Public Access"]
  
  style Function fill:#f90,color:#fff
  style Detection fill:#e00,color:#fff

AWS Automation with EventBridge and Lambda

EventBridge listens for GuardDuty, Security Hub, and Macie findings and routes them to Lambda functions for remediation.

# Create a Lambda function to isolate an EC2 instance
aws lambda create-function \
  --function-name isolate-instance \
  --runtime python3.11 \
  --role arn:aws:iam::123456789012:role/lambda-isolate-role \
  --handler isolate.lambda_handler

# Create an EventBridge rule for GuardDuty findings
aws events put-rule \
  --name guardduty-auto-remediate \
  --event-pattern '{
    "source": ["aws.guardduty"],
    "detail-type": ["GuardDuty Finding"],
    "detail": {
      "severity": [{"numeric": [">=", 7]}],
      "type": [{"prefix": "UnauthorizedAccess"}]
    }
  }'

# Route the rule to the Lambda function
aws events put-targets \
  --rule guardduty-auto-remediate \
  --targets '[
    {
      "Id": "isolate-instance-lambda",
      "Arn": "arn:aws:lambda:us-east-1:123456789012:function:isolate-instance]
    }
  ]'

# List all EventBridge rules for security
aws events list-rules \
  --query 'Rules[?contains(Name, `security`) || contains(Name, `guardduty`) || contains(Name, `remediate`)].[Name,State]' \
  --output table
# Output:
# --------------------------------
# | Name                    | State |
# | guardduty-auto-remediate | ENABLED |
# | securityhub-compliance   | ENABLED |
# | s3-public-check          | ENABLED |
# --------------------------------

Lambda function code for instance isolation (body shown as concept):

import boto3

ec2 = boto3.client('ec2')

def lambda_handler(event, context):
    detail = event['detail']
    instance_id = detail.get('resource', {}).get('instanceDetails', {}).get('instanceId')
    if not instance_id:
        return {'status': 'no_instance_found'}
    ec2.modify_instance_attribute(
        InstanceId=instance_id,
        Groups=['sg-isolation', 'sg-forensic']
    )
    ec2.create_snapshot(
        VolumeId=detail['resource']['instanceDetails']['ebsVolumes'][0]['volumeId'],
        Description=f'Forensic snapshot for GuardDuty finding {detail.get("id")}'
    )
    return {'status': 'isolated', 'instance_id': instance_id}

Azure Automation with Logic Apps

Azure Logic Apps provides drag-and-drop automation triggered by Sentinel alerts.

# Create a Logic App for security automation
az logic workflow create \
  --resource-group prod-rg \
  --name security-auto-remediate \
  --definition security-workflow.json

# security-workflow.json (simplified):
# {
#   "triggers": {
#     "SentinelAlert": {
#       "type": "ApiConnection",
#       "inputs": {
#         "host": {"connection": {"name": "sentinel"}},
#         "method": "get",
#         "path": "/alert"
#       }
#     }
#   },
#   "actions": {
#     "IsolateVM": {
#       "type": "ApiConnection",
#       "inputs": {
#         "host": {"connection": {"name": "azurevm"}},
#         "method": "post",
#         "path": "/subscriptions/.../virtualMachines/prod-vm/deallocate"
#       }
#     },
#     "NotifySlack": {
#       "type": "ApiConnection",
#       "inputs": {
#         "host": {"connection": {"name": "slack"}},
#         "method": "post",
#         "path": "/messages",
#         "body": {"text": "VM isolated due to security alert"}
#       }
#     }
#   }
# }

# Enable the Logic App
az logic workflow enable --resource-group prod-rg --name security-auto-remediate

GCP Automation with Cloud Functions and SCC

Cloud Functions subscribe to PubSub topics that receive Security Command Center findings.

# Create a PubSub topic for SCC findings
gcloud pubsub topics create scc-findings

# Configure SCC to publish findings to PubSub
gcloud scc notifications create scc-pubsub-notification \
  --organization 123456789012 \
  --pubsub-topic projects/my-project/topics/scc-findings \
  --filter 'category="OPEN_FIREWALL" OR category="PUBLIC_BUCKET_ACCESS"'

# Create a Cloud Function to auto-remediate
gcloud functions deploy auto-remediate \
  --runtime python311 \
  --trigger-topic scc-findings \
  --entry-point remediate \
  --service-account auto-remediate-sa@my-project.iam.gserviceaccount.com

# View function logs
gcloud functions logs read auto-remediate \
  --limit 10
# Output:
# 2026-06-24T10:00:00Z  auto-remediate  Processing finding: OPEN_FIREWALL
# 2026-06-24T10:00:01Z  auto-remediate  Removed public access on firewall default-allow-ssh

Step Functions and Approval Gates

For destructive actions, add an approval step before execution. Use Step Functions or Logic Apps with manual approval.

Common Mistakes

  1. Automated remediation without approval: Destructive actions (terminating instances, deleting resources) should require human approval. Use approval gates for high-risk actions.
  2. No error handling: Automation functions fail. Implement retry logic, dead-letter queues, and failure notifications.
  3. Overly broad automation triggers: An EventBridge rule that fires on every GuardDuty finding floods the team. Scope to high-severity findings only.
  4. Testing in production: Automation workflows should be tested in a sandbox environment first. A buggy automation can cause widespread disruption.
  5. No audit trail for automated actions: Every automated action must be logged. Route automation results to CloudTrail or audit log buckets.

Practice Questions

  1. How does EventBridge trigger Lambda for security automation?
  2. What is the role of Logic Apps in Azure security automation?
  3. How can GCP Cloud Functions respond to SCC findings?
  4. Why should destructive automated actions require approval?
  5. How can you ensure automated actions are auditable?

Challenge

Build an automated security response system. Create an EventBridge rule that triggers on GuardDuty findings with severity 7 or higher. Write a Lambda function that isolates the affected resource, creates a forensic snapshot, and disables compromised credentials. Add a Step Function that requests human approval before terminating any resources. Deploy the equivalent workflow using Azure Logic Apps and GCP Cloud Functions.

FAQ

What is Cloud Security automation?

The use of event-driven workflows to automatically detect and remediate security threats without manual intervention.

How does EventBridge integrate with Lambda for security?

EventBridge filters security events from services like GuardDuty and Security Hub, then invokes Lambda functions that execute remediation actions.

Can Azure Logic Apps automate security responses?

Yes. Logic Apps can be triggered by Sentinel alerts and execute remediation actions like isolating VMs, revoking access, and notifying teams.

Does GCP have a native security automation service?

GCP uses a combination of Security Command Center, PubSub, and Cloud Functions for security automation workflows.

What security actions should never be fully automated?

Destructive actions like terminating instances, deleting resources, or modifying production databases should include an approval gate.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro