A real-time security monitoring system for AWS โ built using 100% native AWS services. No complex ML setup. Just smart architecture, clean automation, and a hunger to learn cloud security.
| Category | Details |
|---|---|
| ๐จโ๐ป What is it? | Cloud Security / DevSecOps Automation Project |
| ๐ ๏ธ Built With | GuardDuty, Lambda, EventBridge, SNS, CloudTrail, Athena |
| ๐จ What it does | Sends real-time email alerts when AWS detects a threat |
| ๐ผ Why it matters | Demonstrates hands-on cloud security experience |
As someone diving deep into cloud security, I wanted to build something practical โ something a real company might use. This project helped me:
- Understand how real-time threat detection works
- Explore how AWS services talk to each other in a secure, scalable way
- Learn by building โ not just reading docs
This system acts like a 24/7 cloud watchdog ๐ถ for your AWS account:
- Tracks API activity using CloudTrail
- Monitors traffic using VPC Flow Logs
- Detects threats using GuardDutyโs built-in AI (like brute-force or malware)
- Triggers alerts when something suspicious happens
- Sends you an email instantly with the alert details
And all of this happens automatically โ no manual intervention, no ML model training.
- AWS CloudTrail โ Tracks API calls and user activity
- Amazon VPC Flow Logs โ Captures network traffic within VPCs
- Amazon GuardDuty โ Uses ML to detect threats (e.g., SSH brute force, malware)
- Amazon S3 โ Stores all raw logs centrally
- Amazon Athena โ SQL-based querying of logs in S3
- Amazon EventBridge โ Watches for suspicious events (like unauthorized access)
- AWS Lambda โ Sends real-time alerts when EventBridge rules match
- Amazon SNS โ Delivers security alerts via email
- Launched a test EC2 instance
- Simulated a brute-force SSH attack
- GuardDuty detected the attack and generated a finding โ
- EventBridge picked it up and triggered a Lambda
- Lambda formatted the alert and sent it to SNS
- Got an alert email in real time โ it worked just like planned
- Cleaned up all resources to avoid any billing surprises
This rule watches for specific GuardDuty events and triggers Lambda:
The function runs on threat detection and pushes alerts via SNS:
A real-time detection of a simulated brute-force attack:
See all active findings categorized by severity:
Sample email received from SNS upon threat detection:
/aws-security-alert-system
โโโ README.md # Full project walkthrough
โโโ lambda/
โ โโโ alert_handler.py # SNS email logic on threat detection
โโโ eventbridge/
โ โโโ guardduty-event-pattern.json # EventBridge rule for triggering Lambda
โโโ screenshots/
โโโ eventbridge-rule.png
โโโ guardduty-findings.png
โโโ guardduty-summary.png
โโโ lambda-log.png
โโโ sns-email-alert.pngThis project taught me way more than just connecting AWS services:
- The difference between API logging and network logging
- How event-driven architecture works in security automation
- That you donโt need to be a machine learning expert to use ML-powered tools
- The importance of IAM roles and least privilege
- Why cleaning up unused resources is as important as setting them up
| AWS Service | Why I Used It |
|---|---|
| GuardDuty | AI-based threat detection |
| Lambda | Real-time alert handler |
| SNS | Instantly sends email notifications |
| CloudTrail | Tracks user/API activity |
| VPC Flow Logs | Captures network-level behavior |
| S3 | Stores all logs securely |
| Athena | Run SQL queries on logs (future use) |
| EventBridge | Connects threat detection to action |
๐จ AWS Security Alert Detected
A suspicious activity was detected in your AWS environment.
Details:
UnauthorizedAccess:EC2/SSHBruteForce
Severity: 5.3 (Medium)
Region: ap-south-1
One thing Iโve learned โ never leave cloud resources running.
โ
Terminated test EC2 instance
โ
Deleted CloudTrail trails (after testing)
โ
Removed VPC Flow Logs
โ
Disabled GuardDuty (after verification)
โ
Deleted EventBridge rule and Lambda
โ
Unsubscribed from SNS
โ
Emptied & removed S3 buckets
โ
Reviewed billing dashboard to confirm $0 usage
- ๐ Use Athena to analyze logs in S3
- ๐ Add QuickSight or OpenSearch dashboards
- ๐ Enable Auto-Remediation (e.g., block malicious IPs automatically)
- ๐ง Experiment with Amazon Lookout for Metrics (optional)
One of my goals was to keep this project fully within the AWS Free Tier. Hereโs how I achieved that:
| Service | Usage Type | Cost | Notes |
|---|---|---|---|
| CloudTrail | Management events | $0 | Free for 90 days |
| VPC Flow Logs | Limited duration + filter | $0 | Cost-optimized by limiting scope |
| GuardDuty | Free trial (30 days) | $0 | Disabled after test to avoid charges |
| S3 | Minimal log storage | ~$0.01 | Used infrequent access class |
| Athena | No queries run (yet) | $0 | Planned for later |
| EventBridge | Small volume of rules | $0 | Fits in free tier |
| Lambda | Low invocations | $0 | Free tier covers 1M invocations/month |
| SNS | Email alerts only | $0 | First 1,000 emails are free |
โ Total Cost: $0.01 or less (Covered by AWS Free Tier)
Deepbendu Debnath
AWS Certified Solutions Architect โ Associate | Cloud Security Explorer | Full Stack Developer | C++ Problem Solver
Made with โค๏ธ in India ๐ฎ๐ณ
Iโm a hands-on builder passionate about cloud security, automation, and meaningful tech. This project reflects my journey into DevSecOps using AWS-native services โ combining real-time monitoring, event-driven automation, and security-first thinking.
๐ก๏ธ I also hold the AWS Certified Solutions Architect โ Associate credential, which deepened my understanding of building secure, scalable, and cost-optimized cloud solutions.
I didnโt just build this project โ I built real-world cloud confidence.
Iโm open to:
- ๐ Entry-level full-time roles
- ๐ ๏ธ Internships, collaborative builds, or open-source work
- ๐ค Cloud security conversations, mentorship, or guidance
๐ง debnathdeepbendu@gmail.com
๐ผ LinkedIn ย ย |ย ย ๐ GitHub ย ย |ย ย ๐งฉ LeetCode
You can verify my AWS Certified Solutions Architect โ Associate credential here:
๐ Verify my AWS Certification ย ย |ย ย
๐ Verify my Credly Badge