Skip to content

Module 1: Environment build and configuration

In this first module you will be configuring detective and responsive controls for your environment. You will be running the first of two CloudFormation templates which will automate the creation of some of these controls and then you will manually configure the rest. Log into the AWS Console if you have not done so already.


  1. Run the initial CloudFormation Template – 5 min
  2. Confirm SNS subscription in your email - 1 min
  3. Create a CloudWatch Rule - 5 min
  4. Manually Enable detective controls - 5 min

Enable Amazon GuardDuty

Our first step is to enable Amazon GuardDuty, which will continuously monitor your environment for malicious or unauthorized behavior.

  1. Go to the Amazon GuardDuty console (us-west-2).
  2. If the Get Started button is available, click it. If not GuardDuty is enabled and skip step three.
  3. On the next screen click the Enable GuardDuty button.

GuardDuty is now enabled and continuously monitoring your CloudTrail logs, VPC flow logs, and DNS Query logs for threats in your environment.

Deploy the AWS CloudFormation template

To initiate the scenario and configure your environment you will need to run the module 1 CloudFormation template:

Before you deploy the CloudFormation template feel free to view it here.

Region Deploy
US West 2 (Oregon) Deploy Module 1 in us-west-2
  1. Click the Deploy to AWS button above. This will automatically take you to the console to run the template, click Next to get to the Specify Details page.

  2. On the Specify Details section enter the necessary parameters as shown below.

    Parameter Value
    Stack name ThreatDetectionWksp-Env-Setup
    Email Address Any valid email address you have access to
  3. Once you have entered your parameters click Next,

  4. Click Next again. (leave everything on this page at the default)

  5. Finally, scroll down and check the box to acknowledge that the template will create IAM roles and click Create.

IAM Capabilities

This will bring you back to the CloudFormation console. You can refresh the page to see the stack starting to create. Before moving on, make sure the stack is in a CREATE_COMPLETE status as shown below.

Stack Complete

Do not forget to check your email!

You will get an email from SNS asking you to confirm the Subscription. Confirm the subscription so you can receive email alerts from AWS services during the workshop. The email may take 2-3 minutes to arrive, check your spam/junk folder if it doesn’t arrive within that timeframe.

Setup Amazon CloudWatch event rules and automatic response

The CloudFormation template you just ran created CloudWatch Event Rules for alerting and response purposes. The steps below will walk you through creating the final rule. After this you'll have rules in place to receive email notifications and trigger AWS Lambda functions to respond to threats.

Below are steps to create a rule through the console but you can also find out more about doing it programmatically by reviewing the Amazon GuardDuty Documentation.

  1. Open the CloudWatch console (us-west-2)
  2. In the navigation pane on the left, under Events, click Rules

    What are the current Rules in place setup to do?

  3. Click Create Rule

  4. Select Event Pattern click the dropdown labeled Build event pattern to match events by service and select Custom event pattern in the drop down.

Copy and paste in the custom event pattern below:

  "source": [
  "detail": {
    "type": [
  1. For Targets, click Add Target, select Lambda Function, and then select threat-detection-wksp-remediation-nacl. Click Configure details at the bottom.

  2. On the Configure rule details screen fill out the Name and Description (suggestions below).

    • Name: threat-detection-wksp-guardduty-finding-ec2-maliciousip
    • Description: GuardDuty Finding: UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
  3. Click Create rule. Optional: Consider examining the Lambda function to see what it does. Open the Lambda console. Click on the function named threat-detection-wksp-remediation-nacl

    What will the function do when invoked?

Enable AWS Security Hub

Now that all of your detective controls have been configured you need to enable AWS Security Hub, which will provide you with a comprehensive view of the security and compliance of your AWS environment.

  1. Go to the AWS Security Hub console.
  2. If the Get Started button is available, click it. If not Security Hub is enabled and skip step three.
  3. On the next screen click the Enable AWS Security Hub button.

If you see red text AWS Config is not enabled on some accounts in the Security Hub Console, you can safely ignore for this workshop.

AWS Security Hub is now enabled and will begin collecting and aggregating findings from the security services we have enabled so far.

Architecture overview

Your environment is now configured and ready for operations. Below is a diagram to depict the detective controls you now have in place.

Detective Controls

After you have successfully setup your environment, you can proceed to the next module.