A real-time security monitoring system built with AWS serverless technologies. This project demonstrates cloud architecture best practices and security monitoring capabilities using AWS Lambda, DynamoDB, CloudWatch, and SNS.
Watch the system in action: 3-minute demo video
See real-time threat detection, Slack notifications, and the complete workflow from event ingestion to alert generation.
- Real-time Event Ingestion: Automatically ingests security events from various sources
- Intelligent Threat Detection: 11 built-in detection rules for common security threats:
- Brute force attacks
- Suspicious IP detection
- Privilege escalation attempts
- Data exfiltration
- Port scanning and directory traversal
- Anomalous time access
- Failed authentication monitoring
- SQL injection detection
- API rate limiting violations
- Credential stuffing attacks
- Geo-location anomalies
- Automated Alerting: Slack and SNS notifications for MEDIUM, HIGH and CRITICAL severity alerts
- Interactive Dashboard: Real-time web dashboard for visualizing security events and alerts
- Scalable Architecture: Fully serverless with automatic scaling
- Cost-Effective: Pay only for what you use with AWS serverless services
Real-time security event monitoring with threat detection alerts, event analytics, and live statistics
Deploy in minutes with AWS SAM:
# Clone and deploy
git clone https://github.com/hackn3y/security-monitor-dash.git
cd security-monitor-dash
sam build && sam deploy --guided
# Test with traffic simulator
python scripts/traffic-simulator.py --endpoint YOUR_API_ENDPOINT --scenario allSee QUICKSTART.md for detailed setup instructions.
Estimated monthly costs for moderate usage (100K events/month):
| Service | Usage | Estimated Cost |
|---|---|---|
| Lambda | 1M requests, 512MB, 30s avg | $5-10 |
| DynamoDB | On-demand, 100K writes, 500K reads | $5-15 |
| API Gateway | 1M requests | $3-7 |
| CloudWatch | Logs, metrics, alarms | $1-5 |
| S3 | Dashboard hosting, logs | <$1 |
| SNS | Email notifications | <$1 |
| Total | $15-40/month |
Costs scale automatically with usage. 30-day TTL on events keeps storage costs low.
-
Log Ingestion Lambda (
src/ingestion/)- Receives security events via API Gateway POST requests
- Auto-generates simulated events every minute for testing
- Stores events in DynamoDB with 30-day TTL
- Sends metrics to CloudWatch
-
Threat Detection Lambda (
src/detection/)- Triggered by DynamoDB Streams on new events
- Analyzes events against multiple security rules
- Creates alerts for detected threats
- Sends SNS notifications for critical alerts
-
Alert Management Lambda (
src/alerts/)- Manages alert lifecycle and status updates
- Sends formatted notifications via SNS
- Provides API for alert acknowledgment and resolution
-
Dashboard API Lambda (
src/dashboard/)- RESTful API for dashboard data
- Endpoints for events, alerts, and statistics
- Real-time aggregations and filtering
-
DynamoDB Tables
SecurityEvents: Stores all security events with GSI on sourceIpSecurityAlerts: Stores generated alerts with GSI on severity
-
CloudWatch & SNS
- Custom metrics for monitoring
- SNS topic for email/SMS alerts
- CloudWatch alarms for critical conditions
External Sources β API Gateway β Ingestion Lambda β DynamoDB Events Table
β
DynamoDB Stream
β
Detection Lambda
β
ββββββββββββββββββ΄βββββββββββββββββ
β β
Alerts Table SNS Topic
β β
Dashboard API Email/SMS Alerts
β
Web Dashboard
- AWS Account with appropriate permissions
- AWS CLI configured with credentials
- AWS SAM CLI installed
- Python 3.9+ (for traffic simulator)
- S3 bucket for deployment artifacts
macOS/Linux:
brew install aws-sam-cliWindows:
# Using Chocolatey
choco install aws-sam-cli
# Or download MSI installer from:
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.htmlLinux/macOS:
chmod +x scripts/deploy.sh
./scripts/deploy.shWindows PowerShell:
.\scripts\deploy.ps1The script will:
- Build the SAM application
- Package and upload to S3
- Deploy the CloudFormation stack
- Upload the dashboard to S3
- Configure SNS email subscriptions
# 1. Build the application
sam build
# 2. Deploy with guided prompts
sam deploy --guided
# 3. Upload dashboard to S3 bucket (get bucket name from stack outputs)
aws s3 cp dashboard/index.html s3://YOUR-DASHBOARD-BUCKET/index.html
# 4. Subscribe to SNS topic
aws sns subscribe \
--topic-arn YOUR-SNS-TOPIC-ARN \
--protocol email \
--notification-endpoint your-email@example.com- Open the Dashboard URL from deployment outputs
- Enter your API Gateway endpoint in the configuration section
- Click "Save Configuration"
- The dashboard will start displaying real-time data
- Check your email for SNS subscription confirmation
- Click the confirmation link
- You'll now receive alerts for HIGH and CRITICAL threats
Send events to the ingestion API:
curl -X POST https://YOUR-API-ENDPOINT/ingest \
-H "Content-Type: application/json" \
-d '{
"eventType": "authentication",
"action": "login_failed",
"sourceIp": "192.168.1.100",
"user": "admin",
"resource": "/api/login",
"statusCode": 401
}'The included traffic simulator generates realistic security events for testing:
# Install dependencies
pip install requests
# Run full simulation (all attack scenarios)
python scripts/traffic-simulator.py \
--endpoint https://YOUR-API-ENDPOINT \
--scenario all
# Run specific scenarios
python scripts/traffic-simulator.py \
--endpoint https://YOUR-API-ENDPOINT \
--scenario brute-force
# Generate normal traffic only
python scripts/traffic-simulator.py \
--endpoint https://YOUR-API-ENDPOINT \
--scenario normal \
--count 50all: Complete simulation with all attack typesnormal: Generate legitimate trafficbrute-force: Simulate brute force attackssuspicious-ip: Access from suspicious IPsscanning: Port scanning and directory traversalprivilege-escalation: Unauthorized admin actionsexfiltration: Large data transfersanomalous-time: Off-hours access to sensitive resources
- Trigger: 5+ failed login attempts from same IP in 5 minutes
- Severity: HIGH
- Response: Alert + SNS notification
- Trigger: Request from known malicious IP ranges
- Severity: MEDIUM
- Response: Alert
- Trigger: Non-admin user attempting admin actions
- Severity: CRITICAL
- Response: Alert + SNS notification
- Trigger: Data transfer > 10MB
- Severity: HIGH
- Response: Alert + SNS notification
- Trigger: Port scanning or directory traversal attempts
- Severity: MEDIUM
- Response: Alert
- Trigger: Sensitive resource access during 2-5 AM UTC
- Severity: LOW
- Response: Alert
- Trigger: Failed login on admin/root accounts
- Severity: MEDIUM
- Response: Alert
Custom metrics in the SecurityMonitoring namespace:
EventsIngested: Number of events processedEventsFailed: Failed event ingestion attemptsAlertsGenerated: Number of alerts createdCriticalAlerts: Count of critical severity alerts
- HighSeveritySecurityAlerts: Triggers when critical alerts are detected
- Sends notifications to SNS topic
- Real-time Statistics: Event counts, alert summaries
- Alert Timeline: Recent alerts with severity indicators
- Event Analytics: Events by type, top source IPs, user activity
- Auto-refresh: Updates every 30 seconds
Estimated monthly cost for moderate usage:
- Lambda: ~$5-10 (1M requests)
- DynamoDB: ~$5-15 (on-demand pricing)
- API Gateway: ~$3-7 (1M requests)
- CloudWatch: ~$1-5 (logs and metrics)
- S3: <$1 (dashboard hosting)
- SNS: <$1 (email notifications)
Total: Approximately $15-40/month
Edit src/detection/handler.py:
def detect_custom_threat(event_data):
"""Your custom detection logic."""
if your_condition:
return {
'rule': 'CUSTOM_RULE_NAME',
'severity': 'MEDIUM',
'description': 'Description of the threat',
'details': {...}
}
return None
# Add to detect_threats() function
def detect_threats(event_data):
threats = []
# ... existing rules ...
custom_threat = detect_custom_threat(event_data)
if custom_threat:
threats.append(custom_threat)
return threatsModify thresholds in src/detection/handler.py:
# Change brute force threshold
if len(failed_attempts) >= 10: # Change from 5 to 10
# Change data exfiltration threshold
if bytes_transferred > 50 * 1024 * 1024: # Change to 50MBIntegrate with other AWS services:
- CloudTrail: Monitor AWS API calls
- VPC Flow Logs: Network traffic monitoring
- GuardDuty: AWS threat detection integration
- WAF Logs: Web application firewall events
Example CloudTrail integration:
CloudTrailEventRule:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.cloudtrail
Targets:
- Arn: !GetAtt LogIngestionFunction.Arn
Id: CloudTrailIngestion# Make changes to code or template
sam build
sam deploy
# Upload updated dashboard
aws s3 cp dashboard/index.html s3://YOUR-BUCKET/index.html# View ingestion logs
sam logs -n SecurityLogIngestion --tail
# View detection logs
sam logs -n ThreatDetection --tail
# View all logs
sam logs --tail# Delete the stack and all resources
aws cloudformation delete-stack --stack-name security-monitoring
# Delete S3 bucket (must be empty)
aws s3 rb s3://YOUR-BUCKET --force- Check API endpoint configuration
- Verify CORS is enabled (should be automatic)
- Check browser console for errors
- Verify API Gateway is deployed
- Check if events are being ingested: View DynamoDB Events table
- Check Detection Lambda logs for errors
- Verify DynamoDB Stream is enabled
- Run traffic simulator to generate test alerts
- Confirm SNS subscription is confirmed
- Check spam folder
- Verify alert severity is HIGH or CRITICAL
- Check SNS topic permissions
- Reduce DynamoDB TTL if storing too much data
- Adjust CloudWatch log retention
- Reduce simulation frequency (modify schedule in template.yaml)
- Consider switching DynamoDB to provisioned capacity for consistent workloads
- API Authentication: Consider adding API Gateway authorization
- Encryption: Enable DynamoDB encryption at rest
- VPC: Deploy Lambdas in VPC for internal resources
- IAM: Review and minimize Lambda IAM permissions
- Secrets: Use AWS Secrets Manager for sensitive configuration
- Dashboard Access: Consider CloudFront + S3 with authentication
security-monitoring-dashboard/
βββ template.yaml # SAM/CloudFormation template
βββ src/
β βββ ingestion/
β β βββ handler.py # Log ingestion Lambda
β β βββ requirements.txt
β βββ detection/
β β βββ handler.py # Threat detection Lambda
β β βββ requirements.txt
β βββ alerts/
β β βββ handler.py # Alert management Lambda
β β βββ requirements.txt
β βββ dashboard/
β βββ handler.py # Dashboard API Lambda
β βββ requirements.txt
βββ dashboard/
β βββ index.html # Web dashboard
βββ scripts/
β βββ deploy.sh # Bash deployment script
β βββ deploy.ps1 # PowerShell deployment script
β βββ traffic-simulator.py # Testing tool
βββ README.md
Contributions are welcome! Areas for improvement:
- Additional threat detection rules
- Machine learning-based anomaly detection
- Integration with external threat intelligence feeds
- Enhanced dashboard visualizations
- Mobile-responsive dashboard
- Alert correlation and aggregation
MIT License - feel free to use this project for learning and demonstration purposes.
For issues, questions, or contributions, please create an issue in the repository.
Built with AWS Serverless Technologies - Demonstrating cloud architecture and security monitoring expertise.