Level 200: Automated Deployment of Detective Controls: Lab Guide


  • Ben Potter, Security Lead, Well-Architected

Table of Contents

  1. Deployment
  2. Knowledge Check
  3. Tear Down

1. AWS CloudFormation to configure AWS CloudTrail, AWS Config, and Amazon GuardDuty

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.

Using AWS CloudFormation, we are going to configure GuardDuty, and configure alerting to your email address.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

  1. Download the latest version of the cloudtrail-config-guardduty.yaml CloudFormation template from GitHub raw, or by cloning this repository.
  2. Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/. Note if your CloudFormation console does not look the same, you can enable the redesigned console by clicking New Console in the CloudFormation menu.
  3. Click Create stack.



  1. Enter the following details for each section: General
  2. Stack name: The name of this stack. For this lab, use DetectiveControls.
  3. CloudTrail: Enable CloudTrail Yes/No. If you already have CloudTrail enabled select No.
  4. Config: Enable Config Yes/No. If you already have Config enabled select No.
  5. GuardDuty: Enable GuardDuty Yes/No. If you already have GuardDuty enabled select No. Note that GuardDuty will create and leave an IAM role the first time its enabled.
  6. S3BucketPolicyExplicitDeny: (Optional) Explicitly deny destructive actions to the bucket. AWS root user will be required to modify this bucket if configured.
  7. S3AccessLogsBucketName: (Optional) The name of an existing S3 bucket for storing S3 access logs. CloudTrail
  8. CloudTrailBucketName: The name of the new S3 bucket to create for CloudTrail to send logs to. IMPORTANT Specify a bucket name that is unique.
  9. CloudTrailCWLogsRetentionTime: Number of days to retain logs in CloudWatch Logs.
  10. CloudTrailS3RetentionTime: Number of days to retain logs in the S3 bucket before they are automatically deleted.
  11. CloudTrailEncryptS3Logs: (Optional) Use AWS KMS to encrypt logs stored in Amazon S3. A new KMS key will be created.
  12. CloudTrailLogS3DataEvents: (Optional) These events provide insight into the resource operations performed on or within S3. Config
  13. ConfigBucketName: The name of the new S3 bucket to create for Config to save config snapshots to. IMPORTANT Specify a bucket name that is unique.
  14. ConfigSnapshotFrequency: AWS Config configuration snapshot frequency
  15. ConfigS3RetentionTime: Number of days to retain logs in the S3 bucket before they are automatically deleted. Guard Duty
  16. GuardDutyEmailAddress: The email address you own that will receive the alerts, you must have access to this address for testing.

  17. Once you have finished entering the details for the template continue to the bottom of the page and click Next.

  18. In this lab, we won't add any tags or other options. Click Next. Tags, which are key-value pairs, can help you identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.
  19. Review the information for the stack. When you're satisfied with the configuration, check I acknowledge that AWS CloudFormation might create IAM resources with custom names then click Create stack.


  1. After a few minutes the stack status should change from CREATE_IN_PROGRESS to CREATE_COMPLETE. You have now set up detective controls to log to your buckets and retain events, giving you the ability to search history and later enable pro-active monitoring of your AWS account!
  2. You should receive an email to confirm the SNS email subscription, you must confirm this. Note as the email is directly from GuardDuty via SNS is will be JSON format.

2. Knowledge Check

The security best practices followed in this lab are:

3. Tear down this lab

The following instructions will remove the resources that have a cost for running them.

Note: If you are planning on doing the lab 300_Incident_Response_with_AWS_Console_and_CLI we recommend you only tear down this stack after completing that lab as their is a dependency on AWS CloudTrail being enabled for the other lab.

Delete the stack:

  1. Sign in to the AWS Management Console, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/.
  2. Select the DetectiveControls stack.
  3. Click the Actions button then click Delete Stack.
  4. Confirm the stack and then click the Yes, Delete button.

Empty and delete the S3 buckets:

  1. Sign in to the AWS Management Console, and open the S3 console at https://console.aws.amazon.com/s3/.
  2. Select the CloudTrail bucket name you previously created without clicking the name.


  1. Click Empty bucket and enter the bucket name in the confirmation box.


  1. Click Confirm and the bucket will be emptied when the bottom task bar has 0 operations in progress.


  1. With the bucket now empty, click Delete bucket.


  1. Enter the bucket name in the confirmation box and click Confirm.


  1. Repeat steps 2 to 6 for the Config bucket you created.

References & useful resources

AWS CloudTrail User Guide AWS CloudFormation User Guide Amazon GuardDuty User Guide AWS Config User Guide


Licensed under the Apache 2.0 and MITnoAttr License.

Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at


or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.