Amazon GuardDuty Integration Guide | PagerDuty

Integration Guide for Amazon GuardDuty

Integration Overview

PagerDuty’s integration with Amazon GuardDuty allows you to automate response workflows for security issues that could affect your AWS infrastructure. PagerDuty ensures that the right people are notified about things like unauthorized behavior, and you can use PagerDuty’s alert grouping to reduce noise by grouping similar alerts into a single issue. This is a one-way integration, sending findings to PagerDuty.

Follow the instructions below to configure Amazon GuardDuty with PagerDuty. If you have any questions or need any assistance, please contact our Support team.

In PagerDuty

There are two ways that Amazon GuardDuty can be integrated with PagerDuty: via Event Rules or through an integration on a PagerDuty Service.

Integrating with Event Rules

Integrating with global or service-level event rules may be beneficial if you want to build different rules based on the payload coming from AWS. If you would like to learn more, please visit our article on Rulesets.

Configure a Global Event Rules Integration

  1. From the Automation menu, select Event Rules and click your Default Global Ruleset.
  2. On the Event Rules screen, copy your Integration Key.
  1. Once you have your Integration Key, the Integration URL will be:[YOUR_INTEGRATION_KEY_HERE]

You can now proceed to the In the AWS Management Console section below.

Configure a Service Event Rules Integration

To use service-level event rules:

  1. Navigate to Services Service Directory select your preferred service Integrations tab Add a new integration.
  2. Enter an Integration Name, select Use our API directly and select your preferred Events API version (Events API v2 or Events API v1). Click Add Integration.
  3. Find the new integration in your integrations list and click its name. On the next page, copy the Integration Key and paste it into the following URL:[YOUR_INTEGRATION_KEY_HERE]/enqueue

You can now proceed to the In the AWS Management Console section below.

Integrating with a PagerDuty Service

Integrating with a PagerDuty Service directly can be beneficial if you don’t need to route alerts from AWS to different responders based on the event payload. You can still use service-level event rules to perform actions such as suppressing.

  1. From the Services menu, select Service Directory.
  2. On your Service Directory page: If you are creating a new service for your integration, click + New Service. It is recommended that you create a service specifically for Amazon GuardDuty notifications.

If you are adding your integration to an existing service, click the name of the service you want to add the integration to. Then click the Integrations tab and click the Add a new integration link.

  1. Select Amazon GuardDuty from the Integration Type menu and enter an Integration Name.
    If you are creating a new service for your integration, in General Settings, enter a Name for your new service. Then, in Incident Settings, specify the Escalation Policy, Notification Urgency, and Incident Behavior for your new service.
  2. Click the Add Service or Add Integration button to save your new integration. You will be redirected to the Integrations page for your service.
  3. Copy the Integration URL for your new integration.

In the AWS Management Console

  1. In the Services search bar, search and select Simple Notification Service (SNS). On the SNS dashboard, select Topics and click Create Topic. This will be used to route alerts to PagerDuty from AWS.
  1. Enter a Topic name (you may want to name your topic after your PagerDuty service’s name) and Display name, then click Create topic.
  2. Now that your topic has been created, Select Subscriptions in the left hand menu and click Create Subscription.
  3. Make sure HTTPS is the selected Protocol. Paste your Integration URL from step 5 (above) into the Endpoint field, ensure that the Enable raw message delivery checkbox is unchecked and click Create Subscription.


If using Global Rulesets with this integration, we recommend checking Enable raw message delivery to get the JSON with the fields needed to easily build event rules. This is not required for using service event rules.

  1. Your subscription should be automatically confirmed. Click the refresh icon to make sure the Subscription ID is not PendingConfirmation.
  2. Next, in the Services search bar, search and select the Amazon GuardDuty console. If this is your first time setting up this service, search for GuardDuty, and click Enable GuardDuty.
  3. Once you have enabled GuardDuty, you can begin building CloudWatch Event Rules to send alerts to PagerDuty. Navigate to the CloudWatch console.
  4. Select Events, then click Get Started to create a rule. One or more rules can be created to send specific alerts to PagerDuty when a GuardDuty finding is opened.
  5. Select GuardDuty as the Service Name, then select GuardDuty Finding as the Event Type.
  1. Click Add a target and select SNS topic, then select Your Topic Name (the SNS topic you created above in step 1) and then click Configure Details.
  2. Assign a Name like GuardDuty-to-PD-Findings and click Create Rule.
  3. To ensure configuration was successful, navigate back to the Amazon GuardDuty console to generate sample findings, which should trigger sample events in PagerDuty. Select Settings, then select Generate Sample Findings and then click Findings in the left navigation bar. You will see the sample findings that have been generated. In PagerDuty, you will see the correlating sample alert.

Congratulations, you have now integrated Amazon GuardDuty with PagerDuty! For more information on how to adjust settings to deduplicate events within PagerDuty, please visit our article on Event Management.

Updated 3 months ago

Amazon GuardDuty Integration Guide | PagerDuty

Integration Guide for Amazon GuardDuty

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.