Detect, Collect, Isolate: Automated EC2 Malware Response with GuardDuty

Overview It's 2 AM. GuardDuty just flagged a malware finding on one of your EC2 instances. What happens next determines whether you have a contained incident or a full-blown breach. If the answer is "someone gets paged and logs in manually" — you already have a problem. This blog walks through building a fully automated incident response pipeline on AWS that triggers the moment GuardDuty raises a malware finding — no human in the loop, no delay. The goal is to achieve three things automatically, without any human action: Collect forensic evidence — capture a live memory dump, running processes, network connections, and a full EBS snapshot of the compromised instance Upload to S3 — preserve all artifacts in a secure, durable location before any evidence is lost Isolate the instance — replace its security group with a lockdown SG that cuts off all inbound and outbound network access, containing the threat immediately The pipeline is built entirely on native AWS services — GuardDuty, Even