Block suspicious traffic with AWS Network Firewall and Amazon GuardDuty automatically

Based on the AWS Protection Incident Response Manual , through the use of security response automation, it is possible to increase both scale and the potency of your protection operations. Automation also allows you to adopt a far more proactive method of securing your workloads on AWS. For instance, rather than hanging out manually reacting to safety alerts, you can instead concentrate on activities such as for example enhancing application safety layers and enhancing your protection program.

        <p>In this website post, we’ll demonstrate how exactly to use <a href="https://aws.amazon.com/network-firewall/" focus on="_blank" rel="noopener noreferrer">AWS System Firewall</the> to automatically react to potential security events inside your <a href="http://aws.amazon.com/" focus on="_blank" rel="noopener noreferrer">Amazon Web Solutions (AWS)</the> environment which are detected by <a href="https://aws.amazon.com/guardduty/" focus on="_blank" rel="noopener noreferrer">Amazon GuardDuty</a>. The target is to rapidly support the impact of safety events, while providing more time for follow-up investigation.</p> 

By coding the reaction steps using solutions like AWS Lambda and AWS Step Features, your reaction time could be reduced right down to minutes as well as seconds. This response period is as opposed to manual response, that may often take hrs or longer. This blog has an example of making use of automation to level your security procedures in the cloud.

Once you arrange for responses to protection events, it’s a greatest practice to record your response procedures within runbooks. Runbooks detail process actions and the order where the steps are completed. Steps could be either guide, or expressed in program code and automated; applying at least a few of the methods in code means that those ways are carried out regularly.

Answer overview

The automation example we offer in this website post is targeted on blocking traffic to and from suspicious remote hosts, for instance to IP addresses connected with known command and control servers for botnets. GuardDuty recognition of unintended conversation with remote control hosts triggers a number of measures, including blocking of system visitors to those hosts through the use of System Firewall, and notification of safety operators.

Figure 1: High-degree solution overview

Figure 1: High-level solution summary

Listed below are the key blocks in this website post:

AWS System Firewall is really a managed service that means it is an easy task to deploy essential system protections for all of one’s virtual personal clouds (VPCs). The support scales automatically together with your network visitors so you don’t possess to be worried about deploying and controlling any infrastructure. Network Firewall’s flexible guidelines engine enables you to define firewall rules that provide you fine-grained manage over network traffic. Along with inbound traffic filtering, System Firewall provides URL, Ip, and domain-based outbound visitors filtering to assist you meet compliance needs, prevent unintended usage of data, and block conversation to unauthorized remote control hosts.

You can find three main the different parts of Network Firewall:

  • Rule team – Keeps a reusable assortment of criteria for inspecting visitors and for dealing with packets and visitors flows that match up the inspection criteria. The perfect solution is in this website post automatically adds guidelines to a stateless guideline group when suspicious conversation will be detected. A periodic pruning procedure automatically removes guidelines from that rule team following a specified retention time period.
  • Firewall plan – Defines a reusable group of stateless and stateful principle groups, alongside some policy-level behavior configurations. You may use the rule team managed by this answer as part of a number of firewall policies.
  • Firewall – Connects the inspection guidelines in the firewall plan to the VPC that the guidelines protect.

Amazon GuardDuty is really a continuous security monitoring services that analyzes and procedures data from Amazon Virtual Personal Cloud (Amazon VPC) Circulation Logs, DNS logs, AWS CloudTrail Management Occasions, and AWS CloudTrail S3 Data Activities. Predicated on this data, GuardDuty offers analysis and detection through the use of threat intelligence feeds, signatures, anomaly recognition, and machine studying in the AWS Cloud. In this remedy, it is the recognition of threats by GuardDuty that creates the automated remediation treatment documented in this article.

AWS Step Features is really a serverless orchestration assistance that lets you mix AWS Lambda functions along with other AWS services to create business-critical applications. This option uses Step Features and Lambda services to make sure that incident response tips run in the right order. Step Functions service furthermore offers retry and error-managing logic, while Lambda functions connect to networking controls to block visitors, sufficient reason for a database to shop data about blocked remote control IP addresses.

How it works

Determine 2 displays the automated remediation workflow at length.

Figure 2: Detailed workflow diagram: Automatically prevent suspicious visitors with Network Firewall and GuardDuty

Figure 2: Detailed workflow diagram: Automatically block suspicious visitors with System Firewall and GuardDuty

The answer is implemented the following:

  1. GuardDuty detects unexpected conduct that includes a remote control host Ip. GuardDuty generates a obtaining, in JSON format, which includes details like the EC2 example ID included (if applicable), username and passwords, type of attack, remote control IP, along with other details. Following is really a sample getting (some fields eliminated for brevity).

    “schemaVersion”: “2.0”,
    “accountId”: “123456789012”,
    “id”: “0123442370ea5fc5c29aa8a8e72abcde”,
    “kind”: “Backdoor:EC2/C&CActivity.B”,
    “serviceName”: “guardduty”,
    “actionType”: “NETWORK_CONNECTION”,
    “ipAddressV4”: “”

             <li><a href="https://aws.amazon.com/security-hub" focus on="_blank" rel="noopener noreferrer">Safety Hub</the> ingests the locating produced by GuardDuty and consolidates it with results from other AWS protection services. Security Hub furthermore publishes the contents of the acquiring to the default bus in <a href="https://aws.amazon.com/eventbridge/" focus on="_blank" rel="noopener noreferrer">Amazon EventBridge</the>. Following is really a snippet from the sample event released to Amazon EventBridge. 
     <div course="hide-language"> 
      <pre><code class="lang-text">


    “id”: “12345abc-ca56-771b-cd1b-710550598e37”,
    “detail-type”: “Security Hub Results – Imported”,
    “source”: “aws.securityhub”,
    “account”: “123456789012”,
    “time”: “2021-01-05T01:20:33Z”,
    “region”: “us-east-1”,
    “findings”: [
    “ProductArn”: “arn:aws:securityhub:us-east-1::item/aws/guardduty”,
    “Types”: [“Software and Construction Checks/Backdoor:EC2.C&CActivity.B”],
    “LastObservedAt”: “2021-01-05T01:15:01.549Z”,
    “ProductFields”: “aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4”: “”



  • EventBridge includes a rule having an event design that matches GuardDuty occasions which contain the remote Ip. When a meeting matching the design is released on the default bus, EventBridge routes that occasion to the designated focus on, in this instance a Step Functions condition machine. Following is really a snippet of AWS CloudFormation program code that defines the EventBridge guideline.


         # EventBridge Event Guideline - For Security Hub occasion published to EventBridge:
      Type: "AWS::Events::Principle"
        Description: "Protection Hub GuardDuty results with remote IP"
          - aws.securityhub
              ProductFields:            aws/guardduty/program/action/networkConnectionAction/remoteIpDetails/ipAddressV4:
                  - "exists": true
        State: "ENABLED"
            Arn: !GetAtt GuardDutytoFirewallStateMachine.Arn
            RoleArn: !GetAtt GuardDutytoFirewallStateMachineEventRole.Arn
            Id: "GuardDutyEvent-StepFunctions-Trigger"





  • The Stage Functions state device ingests the facts of the Safety Hub finding released in EventBridge and orchestrates the remediation reaction by way of a defined workflow. Figure 3 displays a graphical depiction of hawaii machine workflow.

    Figure 3: AWS Step Functions state machine workflow

    Figure 3: AWS Step Functions condition machine workflow





  • The initial step in hawaii machine, “Report IP in DB,” invokes a Lambda functionality that creates an archive within an Amazon DynamoDB desk with important details, like the IP of the suspected malicious host and the timestamp of the final activity. The pruning condition machine (talked about in the “Pruning of old records” portion of this blog) utilizes that timestamp to eliminate stale entries from the System Firewall. Following can be an example product saved in the DynamoDB desk (the CreatedAt industry is really a timestamp in Unix epoch period).

    Figure 4: DynamoDB table entry

    Figure 4: DynamoDB desk entry





  • The next phase, “Block Visitors,” invokes a Lambda perform that updates the System Firewall rule team with a stateless principle blocking visitors to the remote Ip. Following is an exemplory case of a stateless guideline that would be put into the Network Firewall principle team.

    Figure 5: Sample rules in a Network Firewall rule group

    Figure 5: Sample guidelines in a System Firewall rule team


    If this task runs successfully, the state machine improvements to the “Notify Achievement” stage.




  • The “Notify Success” step of hawaii machine utilizes an Amazon Simple Notification Support (Amazon SNS) topic to distribute a note that the automated remed


         From: AWS Notifications <no-reply@sns.amazonaws.com>
    Subject: AWS Notification Message





  • If there is failing in the “Report IP” or “Block Visitors” steps, then the state device will operate the “Notify Failure” step. Hawaii machine publishes a note on the SNS topic that automatic remediation workflow has didn’t complete and that guide intervention could be required.


         From: AWS Notifications <no-reply@sns.amazonaws.com>
    Subject: AWS Notification Message



        <p>Given that you know the way the solution operates, you can begin testing it within your AWS accounts.</p> 

Remedy deployment

Establishing this solution consists of these actions:

  1. Verify prerequisites within your AWS accounts.
  2. Deploy the CloudFormation template.
  3. Develop a test Security Hub occasion.
  4. Confirm the access in System Firewall rule team.
  5. Confirm the SNS notification.
  6. Apply the rule team to resources through the use of Network Firewall.

Step one 1: Verify prerequisites within your AWS accounts

The sample solution supplied by this website requires that you activate both GuardDuty and Protection Hub in your AWS accounts. If either one of the services isn’t activated in your accounts, follow these steps:

<p><strong>Notice: </strong>The perfect solution is is designed to be employed in a existing Network Firewall configuration. Although you can attempt this solution’s automatic remediation actions without developing a firewall through System Firewall, one must fully implement the answer. You can find out about System Firewall <a href="https://aws.amazon.com/blogs/aws/aws-network-firewall-new-managed-firewall-service-in-vpc/" target="_blank" rel="noopener noreferrer">concepts</the> and <a href="https://docs.aws.amazon.com/network-firewall/most recent/developerguide/getting-started.html#getting-started-prerequisites" focus on="_blank" rel="noopener noreferrer">getting began</the> in the documentation.</p> 

Step two 2: Deploy the AWS CloudFormation template

Because of this next step, be sure you deploy the template within the AWS account and AWS Region where you intend to monitor GuardDuty results.

To deploy the CloudFormation stack

    1. Pick the Release Stack button to release a CloudFormation stack in your accounts:
      Choose the Launch Stack button to start the template

Take note: The stack will release in the N. Virginia (us-east-1) Region. It requires approximately quarter-hour for the CloudFormation stack to perform. To deploy this alternative into some other AWS Regions, download the solution’s CloudFormation template and deploy it to the selected Area. Network Firewall isn’t available in all Regions. To find out more about where it’s obtainable, observe the set of service endpoints.

  1. In the AWS CloudFormation console, choose the Select Template form, and choose&amp then;nbsp;Next.
  2. On the Specify Information page, supply the following insight parameters. It is possible to modify the default ideals to customize the perfect solution is for your atmosphere.

    Insight parameterInsight parameter explanationAdminEmailThe e-mail address to get notifications. Should be a valid email. There is absolutely no default worth.RulegroupPriorityThe priority that’ll be useful for rules added by this treatment for a System Firewall rule group. Decide on a worth that won’t conflict with guidelines that are entered beyond this answer. The default worth will be 30000.RulegroupCapacityThe default value is 2000. Remember that each blocking guideline created by this remedy uses two models of capacity. To learn more, notice Rule team capacity within AWS Network Firewall.RetentionJust how long to retain IP addresses within the block listing (within the rule team). The default is 720 minutes (12 hrs).PruningFrequencyHow usually the pruning state device acts to eliminate old information from the block checklist in the rule team. The default will be every a quarter-hour. 

    Figure 6 shows a good example of the values entered within the Parameters screen.

    Figure 6: Sample AWS CloudFormation stack parameters

    Figure 6: Sample AWS CloudFormation stack parameters

  3. After you’ve entered values for several of the input parameters, choose Next.
  4. On the Choices page, keep carefully the defaults, and choose Next.
  5. On the Evaluation page, within the Abilities section, choose the check box close to “I acknowledge that AWS CloudFormation might create IAM sources.” and choose Create.
    Figure 7: AWS CloudFormation abilities acknowledgement

    Figure 7: AWS CloudFormation features acknowledgement

  6. As the stack has been created, check the e-mail inbox that corresponds to the worthiness you gave for the AdminEmail tackle parameter. Look for a contact message with the topic “AWS Notification – Membership Confirmation.” Pick the connect to confirm the membership to the SNS subject. You should visit a confirmation message like the following.
    Figure 8: Sample Amazon SNS membership confirmation

    Figure 8: Sample Amazon SNS membership confirmation

After the Standing industry for the CloudFormation stack modifications to CREATE_COMPLETE, because shown in Figure 9, the answer is implemented and will be ready for screening.

Figure 9: AWS CloudFormation stack completed deployment

Figure 9: AWS CloudFormation stack completed deployment

Step three 3: Develop a test Security Hub occasion

Following the CloudFormation stack has completed deployment, you can attempt the functionality by developing a test event in exactly the same format as will be published by Security Hub.

To produce a test work of the solution

  1. In the AWS Management Console, choose Providers > CloudFormation > NetworkFW-GDuty-Demo stack.
  2. In the Outputs tab for the stack, search for the GuardDutytoFirewallStateMachine entry. It will look like the pursuing screenshot.
    Figure 10: AWS CloudFormation stack outputs

    Figure 10: AWS CloudFormation stack outputs

  3. Pick the web page link in the entry. You’ll become redirected to the Step Features console, with hawaii machine already open, similar to the adhering to screenshot. Choose Begin execution.
    Figure 11: AWS Step Functions condition machine

    Figure 11: AWS Step Functions condition machine

  4. To facilitate testing, we’ve provided a test event file. On the Start execution page, in the Input section, paste the provided test event JSON file.
  5. Around line 55, discover the eventLastSeen field and edit the timestamp to the present amount of time in the UTC+0 time zone. Note the Ip for the remote host identified in the GuardDuty finding in the test event online 44. The answer should block traffic from that Ip in the next steps.
    Figure 12: Sample input for the Step Functions state machine execution

    Figure 12: Sample input for the Step Functions state machine execution

  6. Choose Start execution to begin with the processing of the test event.
  7. Now you can track hawaii machine processing of the test event. The processing should complete inside a few seconds. It is possible to select different steps in the visual Graph inspector to see input and output data. The next example shows the input to the Block Traffic step that launches a Lambda function that interacts with Network Firewall.
    Figure 13: The Step Functions state machine step details

    Figure 13: The Step Functions state machine step details

Step 4: Confirm the entry in the Network Firewall rule group

Given that a test event was processed by hawaii machine, you can check if the Network Firewall rule group would block traffic to the remote IP identified in the GuardDuty finding.

To validate entries in the Network Firewall rule group

  1. In the AWS Management Console, choose Services, and choose VPC. In the Network Firewall section in the left navigation bar, choose Network Firewall rule groups.
  2. Pick the rule group developed by the perfect solution is.
    Figure 14: Choosing the Network Firewall rule group

    Figure 14: Choosing the Network Firewall rule group

  3. Concur that the guidelines blocking the traffic from the foundation also to the destination Ip that you specified in the test event were created. The rule group list should look like the following screenshot.
    Figure 15: Verifying entries in the Network Firewall rule group

    Figure 15: Verifying entries in the Network Firewall rule group

Step 5: Confirm the SNS notification

In this task, you’ll view the SNS notification that has been sent to the e-mail address you setup.

Review the e-mail inbox for the worthiness you provided for the AdminEmail parameter to check out a message with the topic line “AWS Notification Message.” The contents of the message from Amazon SNS ought to be like the following.

"Blocked":"true","Input":"HostIp":"","FindingId":"cab084b3-6241-d898-ebc4-8a04d4a839a5","Timestamp":"2020-12-13T16:25:14.621Z","AccountId":" 123456789012","Region":"us-east-1"
        <h3>Step 6: Apply the rule group to resources through the use of Network Firewall</h3> 

The ultimate task would be to associate the rule group, with firewall policies attached, to the Network Firewall firewalls that you would like to automatically update with this particular solution. To learn how exactly to do that task, see Firewall policies in AWS Network Firewall.

Once you’ve an adequately constructed firewall policy, after that you can apply those policies to Network Firewall to safeguard resources in your VPCs. See Deployment models for AWS Network Firewall to explore choices for integrating Network Firewall with a number of different network architecture patterns.

Congratulations! You’ve successfully deployed and tested the automated remediation through the use of GuardDuty and Network Firewall. To be able to fully implement this solution, you need to add the rule group to a Network Firewall configuration inside a VPC. In the event that you haven’t deployed Network Firewall yet, it is possible to find out about concepts and getting started in the Network Firewall documentation.

Pruning of old records

A pruning state machine runs periodically to drive out old records from the block list. It removes records from both DynamoDB table and the Network Firewall rule group. The retention period and the frequency of the pruning operation are configurable through the use of input parameters for the CloudFormation stack. If you review previous runs of the pruning state machine, you ought to be able to visit a Graph inspector diagram like the following.

Figure 16: The Step Functions pruning state machine flow

Figure 16: The Step Functions pruning state machine flow



You’ve learned how exactly to integrate AWS Network Firewall and Amazon GuardDuty for automated remediation of security events. You should use this sample treatment for automatically block communication to suspicious hosts discovered by GuardDuty, and you may apply those blocks across all configured Network Firewall firewalls inside your account.

All the code because of this solution can be acquired on GitHub. Feel absolve to experiment with the code; it really is hoped by us can help you find out about automated security remediation. It is possible to adjust the code to raised fit your specific environment or extend the code with additional steps. For instance, you could modify the answer to employ a stateful rule group make it possible for logging of traffic filtering, or you can include a step to make a ticket within an incident management system for better tracking and documentation of the incident response process.

When you have comments about this post, submit them in the Comments section below. When you have questions about by using this solution, take up a thread in the Network Firewall or GuardDuty forums, or contact AWS Support.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.


%d bloggers like this: