Day 02 AWS GuardDuty Automation | Automatically Quarantine Compromised EC2 Instances

In this video, I demonstrate a real-world AWS security automation where a compromised EC2 instance is automatically quarantined the moment Amazon GuardDuty detects suspicious activity.

This project is designed the same way it’s done in production environments — minimal permissions, event-driven architecture, and zero manual intervention.

Phase 1 – Environment & Security Setup

Enable Amazon GuardDuty
Create a VPC and required networking
Create a Quarantine Security Group (no inbound / outbound rules)
Create a minimal IAM role using AmazonSSMManagedInstanceCore
Launch an EC2 instance and attach the role
(⚠️ Quarantine SG is NOT attached initially)

🔹 Phase 2 – Automation & Detection

Create an IAM role for Lambda with required permissions
Build the Lambda function to attach the Quarantine SG
Configure Amazon EventBridge for GuardDuty findings
Add triggers to invoke Lambda automatically
Generate a GuardDuty finding to test the flow

🚨 What Happens Automatically?

GuardDuty detects malicious activity
EventBridge triggers Lambda
Lambda replaces the EC2 Security Group
Instance is fully isolated (quarantined) from the network

Why this project matters

Real AWS incident response automation
Used in SOC, Cloud Security & DevOps teams
Interview-ready production security project
Covers GuardDuty, Lambda, EventBridge, IAM, EC2
Perfect for DevOps & Cloud Security portfolios

If you’re serious about AWS Security, DevOps automation, or real-time incident response, this project is a must-have.

👉 Like, share & subscribe for more real AWS projects.

GitHub : https://github.com/saikiranpi/masteri...
Docker : https://hub.docker.com/u/kiran2361993
LinkedIn : / saikiranpinapathruni
Medium : / pinapathrunisaikiran
Buy Me a Coffee : https://buymeacoffee.com/saikiranpi
Book 1:1 call : https://topmate.io/pinapathruni_saikiran

#aws #guardduty #devops #cloudsecurity #awssecurity #lambda #EventBridge #ec2 #incidentresponse #devsecops