Amazon GuardDuty is an intelligent threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to continuously monitor AWS accounts, workloads, and data stored in services like S3. It automatically identifies potential threats such as unauthorized access, data exfiltration, or malware, and provides actionable security findings to help protect your environment.
In this Cloud Lab, you’ll build a complete malware detection and response workflow using Amazon GuardDuty Malware Protection. The goal is to scan uploaded files, remove malicious objects, notify users, and securely transfer clean files for use.
You’ll start by creating two Amazon S3 buckets: one for raw file uploads (to be scanned) and one for clean files (malware-free data). Next, you’ll configure Amazon GuardDuty to automatically scan new files in the raw bucket. You’ll then create an Amazon SNS topic with an email subscription to deliver real-time alerts when malware is detected. Next, you’ll build a Lambda function that processes GuardDuty findings. If malware is detected, the file is deleted, and an SNS notification is sent. If no malware is detected, the file is copied to the clean bucket for safe usage. Finally, you’ll define an Amazon EventBridge rule to automatically invoke the Lambda function whenever GuardDuty generates a finding, ensuring your workflow is fully automated and event-driven.
By the end of this Cloud Lab, you will have created a serverless security automation pipeline that detects malware in S3 buckets, removes infected files, alerts stakeholders, and safely moves clean data—leveraging Amazon GuardDuty, Lambda, EventBridge, SNS, and S3.
The given is the high-level architecture diagram of the infrastructure you’ll create in this Cloud Lab:
