Monitoring GuardDuty Findings with Amazon CloudWatch Events

Home » AWS Cheat Sheets » AWS Management Tools » Management Related Notes » Monitoring GuardDuty Findings with Amazon CloudWatch Events

Monitoring GuardDuty Findings with Amazon CloudWatch Events

Large scale cyber attacks are now becoming normal in this age of interconnectivity. As we rely more and more on cloud technologies, companies are looking to tap into digital innovations to improve their businesses. Cyber attacks are costing companies millions of dollars of downtime not to mention the possibility of lawsuits whenever an attack occurs. It is imperative that security teams have the means to prevent, detect, and take actions to ensure that the security of their workloads in AWS are airtight.

Amazon GuardDuty was released during the 2017 re:Invent conference. Amazon GuardDuty is an agentless threat detection service that continuously monitors your AWS account and workloads. GuardDuty ingests data across multiple AWS services such as VPC flow logs, CloudTrail, and DNS logs, and uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential attacks.

In this article, we will be using SNS topics and CloudWatch Events to automatically notify you via email of GuardDuty findings depending on their severity. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events

1. To start, we need to go to the GuardDuty console and click  “Enable GuardDuty”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events1

2. Your GuardDuty console will probably be empty especially if you launch GuardDuty on a fresh account. We will
populate it later by using sample findings. 

Monitoring GuardDuty Findings with Amazon CloudWatch Events2

3. We need to create an SNS topic that will allow us to send notifications.

    1. Head over to SNS. 
    2. Create a topic and name your topic. 
    3. Click “Create topic”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events3

4. Create an SNS subscription for your topic.

Tutorials dojo strip
    1. Specify the SNS topic you just created.
    2. Under protocol, choose Email.
    3. Enter the email address where you want to receive the CloudWatch events.
    4. Click “Create subscription”.

Monitoring GuardDuty Findings with Amazon CloudWatch Events4

5. Now we need to create a CloudWatch Events rule to send events to the SNS topic.

    1. Head over to CloudWatch
    2. Look for the “Rules” tab and click it

Monitoring GuardDuty Findings with Amazon CloudWatch Events5

6. Create a CloudWatch Events Rule

Monitoring GuardDuty Findings with Amazon CloudWatch Events6

    1. Click “Create Rule”
    2. Toggle “Event Pattern”
    3. For the service name, look for GuardDuty
    4. For the event type, select GuardDuty finding
    5. Click “Edit” to modify the Event Pattern Preview and paste this JSON code. The code block will only alert you for findings with medium to high finding

 “source”: [
 “detail-type”: [
 “GuardDuty Finding”
 “detail”: {
 “severity”: [
 ]  }

Monitoring GuardDuty Findings with Amazon CloudWatch Events7

7. Create Target

    1. On the “Targets” section, click “Add target” and specify the SNS topic you created.
    2. Under “Configure Input”, click on Input Transfer.
    3. Paste the following code for Input path and Input template then click “Configure Details”.


 “severity”: “$.detail.severity”, 
 “Finding_ID”: “$”,
 “Finding_Type”: “$.detail.type”,
 “region”: “$.region”,
 “Finding_description”: “$.detail.description”


“You have a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region.”
“Finding Description:”
“<Finding_description>. “
“For more details open the GuardDuty console at<region>#/findings?search=id%3D<Finding_ID>”

Monitoring GuardDuty Findings with Amazon CloudWatch Events8

8. Configure Rule Details

    1. Name your Rule definition.
    2. Tick the “Enabled” box under state. 
    3. Create Rule.

Monitoring GuardDuty Findings with Amazon CloudWatch Events9

9. Populating your GuardDuty

    1. Head over to settings
    2. Under “Sample Findings” click “Generate Sample Findings”
    3. GuardDuty sends a notification within 5 minutes of a finding or in this case, you should receive an email after 5 minutes after you generate the sample finding

Monitoring GuardDuty Findings with Amazon CloudWatch Events10

10. You will receive an email from AWS regarding the findings of GuardDuty.

Monitoring GuardDuty Findings with Amazon CloudWatch Events11

In this tutorial, you have enabled Amazon GuardDuty, created an SNS topic and subscription, and configured a CloudWatch Events rule that will send a message to the SNS topic depending on the results of GuardDuty. You can adjust the CloudWatch rule and the target SNS configuration depending on your requirements. 

In the next tutorial, we will discuss how to manage Amazon GuardDuty security findings across multiple accounts.


Tutorials Dojo portal

Enroll Now – Our AWS Certification Exam Reviewers

AWS Practice Exams Tutorials Dojo

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Matt Hidalgo

Matt is a Solutions Architect for a managed services provider that specializes in AWS and Azure. After graduating from college with a degree in Geology, he decided to switch careers and self-taught himself with AWS and Azure. Matt specializes in the migration and deployment of workloads to AWS and Azure with 3 years of experience.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?