Modern cloud security is not about alerts.

It’s about automated response.

In this project, I built a Cloud-native SOAR workflow that:

• Detects high-severity threats

• Automatically isolates an EC2 instance

• Sends security notifications

• Requires zero human intervention

This article walks through the architecture, implementation, and lessons learned.

🏗 Architecture Overview

Flow:

GuardDuty → EventBridge → Lambda → EC2 Isolation → SNS Alert

Services used:

• Amazon GuardDuty (Threat detection)

• Amazon EventBridge (Event routing)

• AWS Lambda (Automated remediation)

• Amazon EC2 (Target resource)

• Amazon SNS (Notification)

Launch Test EC2 Instance

I launched a test EC2 instance that would act as the “victim”.

This instance had:

• Public IP

• SSH open (for simulation)

• Default security group (soar-test-sg)

This is the asset that automation will isolate.

Enable GuardDuty

GuardDuty was enabled in the region to start monitoring:

GuardDuty analyzes:

• CloudTrail logs

• VPC Flow Logs

• DNS logs

For testing, I generated a sample high-severity finding.

This triggered a:

CryptoCurrency:EC2/BitcoinTool.B!DNS

High severity finding — perfect for automated containment.

Create Quarantine Security Group

Instead of terminating the instance, I implemented containment.

The quarantine SG:

• No inbound rules

• No outbound rules

This ensures full network isolation.

Create Lambda Remediation Function

Lambda is the core of the automation.

IAM Role attached:

The Lambda function:

• Identifies the EC2 instance

• Replaces its Security Group with the quarantine SG

• Publishes alert to SNS

Key logic:

ec2.modify_instance_attribute(
    InstanceId=instance_id,
    Groups=[quarantine_sg_id]
)

This is the containment action.

Create SNS Notification Channel

SNS topic created for alerts.

Whenever remediation executes, an alert is sent.

Configure EventBridge Rule

EventBridge listens for high-severity GuardDuty findings.

Trigger configuration:

Rule filters:

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{
      "numeric": [">=", 7]
    }]
  }
}

Final rule configuration:

This connects GuardDuty events to the Lambda function.

End-to-End Validation

When a high-severity finding was generated:

1. EventBridge triggered Lambda

2. Lambda executed successfully

3. Security group changed automatically

Isolation proof:

The EC2 instance was automatically moved to the quarantine security group.

No human intervention required.

Cloudwatch Live trails shows the logs

What This Project Demonstrates

Event-Driven Security Automation

Detection alone is not enough.
Automated response reduces MTTR significantly.

Cloud-Native SOAR Without Expensive Tools

Using managed services, you can build:

• Detection

• Orchestration

• Response

• Alerting

Without third-party platforms.

Containment Strategy Over Destruction

Instead of deleting instances:

• Isolate

• Investigate

• Preserve forensic value

Lessons Learned (Real Ones)

GuardDuty sample findings use synthetic instance IDs

Automation must handle real-world event parsing carefully.

ARN format errors break workflows silently

Incorrect SNS ARN caused publish failures.

IAM permissions are everything

Without correct policies, remediation fails.

Logging is critical

CloudWatch logs were essential to debug failures.

📊 Outcome

This lab achieved:

• Fully automated EC2 isolation

• High-severity event filtering

• Serverless remediation

• Alerting integration

• Operational logging visibility

This is a practical Cloud SOAR implementation using AWS-native services.

🔚 Closing Thoughts

This project reinforced a simple but powerful idea:

Security in the cloud should not depend on someone noticing an alert.

It should react.

By combining GuardDuty, EventBridge, and Lambda, I moved from passive monitoring to active containment. The system detects a high-severity threat and isolates the affected resource automatically — reducing response time from minutes to seconds.

This is the shift modern cloud security requires:
from visibility → to control.

Automation is not about replacing humans.
It’s about removing delay

Final Line:

In the cloud, speed is everything — and automated containment is the difference between detection and defense.