All AWS accounts at Northwestern are configured to use Amazon GuardDuty, an automated monitoring service that continually monitors the AWS services and resources in your account and proactively identifies threats and potential malicious activities (which are called “findings”).
By default, findings are displayed in the GuardDuty console only, and you must look there or use the AWS CLI to view GuardDuty findings and take action. A better way is to use CloudWatch Events and SNS to send notifications whenever GuardDuty creates a new finding.
Manual Setup
Amazon provides this documentation for setting up CloudWatch Events to send GuardDuty findings to an SNS topic or a Lambda function: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
Automated Setup
Alternatively, Northwestern IT makes available a Terraform module that can create this CloudWatch Events rule and SNS topic automatically: https://github.com/NIT-Administrative-Systems/guardduty-notifications-iac/.
Instructions for using the Terraform module are in the README. If you have questions or problems setting the stack up, please post in the Cloud CoP AWS channel.