Cloud Security Automation
Cloud Security Automation
Automating response actions improves reaction time:
AWS Lambda Response Function:
import boto3
def lambda_handler(event, context):
# Parse GuardDuty finding
finding = event['detail']
if finding['severity'] >= 7:
ec2 = boto3.client('ec2')
# Isolate high-severity instances
for resource in finding['resource']['instanceDetails']:
instance_id = resource['instanceId']
# Move to isolation security group
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=['sg-isolation']
)
# Create snapshot
volumes = ec2.describe_volumes(
Filters=[
{'Name': 'attachment.instance-id', 'Values': [instance_id]}
]
)
for volume in volumes['Volumes']:
ec2.create_snapshot(
VolumeId=volume['VolumeId'],
Description=f"IR snapshot for finding {finding['id']}"
)