AWS GuardDuty Findings Ingestion in Splunk using S3 and KMS Encryption

This project demonstrates how to build a secure, compliance-ready pipeline for exporting AWS GuardDuty security findings to Splunk using S3 bucket storage with KMS encryption. GuardDuty continuously monitors your AWS environment for threats and malicious activity, generating detailed findings that need to be centralized and analyzed.
In this implementation, GuardDuty automatically exports findings as JSON files to an encrypted S3 bucket. Splunk's Generic S3 input polls this bucket at regular intervals (typically every 15 minutes) to retrieve and ingest new findings. This batch-processing approach is ideal for organizations that need long-term archival, compliance documentation, and historical analysis of security events.

Key Components

• GuardDuty: Generates security findings from threat detection
• KMS (Key Management Service): Provides encryption keys for securing data at rest
• S3 Bucket: Stores encrypted finding files as durable, long-term archive
• IAM: Manages permissions for GuardDuty to write and Splunk to read
• Splunk Add-on for AWS: Polls S3 and ingests findings into Splunk

When to Use This Pipeline:

• Long-term compliance and audit trail requirements
• Archival storage of all security findings
• Cost-effective solution for moderate alert volumes
• Historical data analysis and reporting
• Acceptable latency of 5-15 minutes for findings

What Makes This Project Valuable?

This pipeline provides a secure, compliant, and cost-effective approach to centralizing GuardDuty findings. By using KMS encryption, you maintain full control over data encryption keys, meeting strict compliance requirements like PCI-DSS, HIPAA, and GDPR. The S3 storage layer ensures findings are never lost and can be reprocessed if needed. This architecture is production-ready and widely adopted in enterprise environments.