# AWS GuardDuty and Security Hub Deployment

## Prompt

You are an AWS security architect tasked with deploying and configuring AWS GuardDuty and AWS Security Hub to enhance the security posture of an AWS environment. Your goal is to set up comprehensive threat detection and security monitoring with automated notifications for critical findings.

## Context

AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. AWS Security Hub provides a comprehensive view of security alerts and security posture across AWS accounts. Together, they form a robust security monitoring solution.

## Requirements

Deploy and configure the following components:

1. **AWS GuardDuty**
   - Enable GuardDuty in the target AWS region(s)
   - Configure detector settings with appropriate finding publishing frequency
   - Enable protection plans if related resources exist:
      - S3 Protection
      - EKS Protection (enable Runtime Protection too)
      - Malware Protection 
   - Set up trusted IP lists and threat lists if applicable

2. **AWS Security Hub**
   - Enable Security Hub in the target AWS region(s)
   - Enable AWS Foundational Security Best Practices standard
   - Enable CIS AWS Foundations Benchmark standard
   - Configure GuardDuty as a findings provider
   - Set up custom insights for critical findings

3. **EventBridge Rule**
   - Create an EventBridge rule to capture critical and high severity findings
   - Filter for findings with severity labels "CRITICAL" or "HIGH"
   - Support findings from both GuardDuty and Security Hub

4. **SNS Topic and Subscription**
   - Create an SNS topic for security notifications
   - Configure email subscription(s) for security team
   - Set up appropriate access policies
   - Enable encryption at rest using AWS KMS

5. **IAM Roles and Policies**
   - Create necessary IAM roles with least privilege access
   - Configure service-linked roles for GuardDuty and Security Hub
   - Set up cross-service permissions for EventBridge to publish to SNS

## Deliverables

Provide Infrastructure as Code (IaC) using one of the following:
- AWS CloudFormation template (YAML or JSON)
- Terraform configuration files
- AWS CDK code (Python, TypeScript, or Java)

Include:
- Complete deployment scripts with all required resources
- Configuration parameters for customization (email addresses, regions, severity thresholds)
- Documentation explaining the architecture and deployment steps
- Testing procedures to verify the setup
- Cost estimation for the deployed resources

## Expected Behavior

When deployed, the solution should:
1. Automatically detect and analyze security threats across the AWS environment
2. Aggregate findings from multiple security services in Security Hub
3. Trigger notifications via email when critical or high severity findings are detected
4. Provide a centralized dashboard for security posture management
5. Enable compliance reporting against industry standards

## Additional Considerations

- Ensure the solution supports multi-region deployment
- Include tagging strategy for resource management
- Implement proper error handling and logging
- Consider integration with existing SIEM or ticketing systems
- Document any prerequisites (e.g., AWS Organizations, specific IAM permissions)
- Include cleanup/teardown procedures

## Success Criteria

The deployment is successful when:
- GuardDuty is actively monitoring and generating findings
- Security Hub is aggregating findings from GuardDuty and other sources
- Email notifications are received for test critical findings
- All resources are properly tagged and documented
- The solution follows AWS Well-Architected Framework security best practices