AWS Cloud Security UserGroup West Africa
Session Date: May 2, 2026 | 60-Minute Workshop
Topic: Build an event-driven system using EventBridge + Lambda + SQS
This project demonstrates a production-grade, security-focused event-driven system that ingests, enriches, scores, and processes security events in real-time using AWS EventBridge, Lambda, and SQS.
A complete event triage pipeline that:
- β Routes suspicious activity events in real-time
- β Enriches events with context (user, account, geo, asset metadata)
- β Scores threat risk (0β100)
- β Queues for reliable processing with guaranteed delivery
- β Handles failures gracefully (retries, DLQ, circuit breaker)
- β Provides full observability (X-Ray, CloudWatch, structured logs)
- β Follows production best practices (least-privilege IAM, encryption, idempotency)
Events β EventBridge Rules β Lambda Enrichment/Scoring β SQS β Lambda Worker β Audit Trail
- AWS Account with admin access (or sufficient permissions for EventBridge, Lambda, SQS, CloudWatch, X-Ray)
- AWS CLI v2 configured
- Python 3.11+
- Node.js 18+ (for AWS CDK)
- Docker (optional, for LocalStack testing)
# Clone repo
git clone https://github.com/<owner>/<repo>.git
cd <repo>
# Install CDK dependencies
npm install -g aws-cdk
# Create Python virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install Python dependencies
pip install -r infrastructure/cdk/requirements.txt
pip install -r scripts/requirements.txt
# Install function dependencies
for func in functions/enricher functions/scorer functions/worker; do
pip install -r $func/requirements.txt --target $func/package
donecd infrastructure/cdk
cdk deploy --require-approval never# Send sample events to EventBridge
./scripts/send_events.sh
# Watch logs in real-time
./scripts/monitor.sh./scripts/destroy.sh.
βββ infrastructure/
β βββ cdk/
β β βββ app.py # Main CDK application
β β βββ eventbridge_stack.py # EventBridge resources
β β βββ lambda_stack.py # Lambda functions
β β βββ sqs_stack.py # SQS queues
β β βββ iam_stack.py # IAM roles & policies
β β βββ monitoring_stack.py # CloudWatch & X-Ray
β β βββ requirements.txt
β βββ outputs/ # Deployed resource outputs
β
βββ functions/
β βββ enricher/
β β βββ lambda_function.py # Enrichment logic
β β βββ requirements.txt
β β βββ tests/
β β
β βββ scorer/
β β βββ lambda_function.py # Risk scoring logic
β β βββ requirements.txt
β β βββ tests/
β β
β βββ worker/
β β βββ lambda_function.py # SQS consumer & processor
β β βββ requirements.txt
β β βββ tests/
β β
β βββ shared/
β βββ logger.py # Structured logging
β βββ validator.py # Event validation
β βββ idempotency.py # Idempotent processing
β βββ constants.py # Constants & config
β
βββ events/
β βββ sample_events.json # Test event collection
β βββ schema.json # EventBridge schema
β
βββ tests/
β βββ unit/ # Unit tests for each Lambda
β βββ integration/ # End-to-end flow tests
β βββ chaos/ # Failure scenario tests
β
βββ scripts/
β βββ deploy.sh # Deploy infrastructure
β βββ send_events.sh # Simulate events
β βββ monitor.sh # Watch logs/metrics
β βββ destroy.sh # Cleanup
β
βββ docs/
β βββ ARCHITECTURE.md # Design decisions
β βββ DEPLOYMENT.md # Step-by-step guide
β βββ RUNBOOK.md # Troubleshooting
β βββ PRODUCTION_CHECKLIST.md # Pre-production readiness
β
βββ .gitignore
- Least-Privilege IAM: Each component has minimal required permissions
- Encryption: KMS for SQS, TLS in-flight, no secrets in code
- Audit Trail: Every event logged with correlation ID
- Schema Validation: Events validated against contract before processing
- Retry Strategy: Exponential backoff, max 2 attempts per rule
- Dead-Letter Queues: Failed events captured for investigation
- Idempotent Processing: Same event processed twice = same outcome
- Circuit Breaker: Stop retrying if target repeatedly fails
- CloudWatch Logs: Structured JSON logging
- X-Ray Tracing: End-to-end request flow visualization
- Metrics Dashboard: Event volume, latency, error rates
- Alarms: Alert on anomalies (queue depth, errors, latency)
- Infrastructure as Code: CDK for reproducible deployments
- Automated Tests: Unit, integration, and chaos scenarios
- Comprehensive Docs: Architecture, deployment, troubleshooting
- Cost Monitoring: Track spend per event type
| Document | Purpose |
|---|---|
| ARCHITECTURE.md | Design overview, decisions, data flows |
| DEPLOYMENT.md | Step-by-step deployment walkthrough |
| RUNBOOK.md | Operational guide and troubleshooting |
| PRODUCTION_CHECKLIST.md | Pre-launch readiness checklist |
# Unit tests
pytest tests/unit -v
# Integration tests
pytest tests/integration -v
# Chaos engineering tests
pytest tests/chaos -v
# All tests with coverage
pytest tests/ --cov=functionsAfter this workshop, you'll understand:
- β How to design event-driven security pipelines
- β EventBridge routing, filtering, and schema validation
- β Lambda as a stateless event processor (best practices)
- β SQS for decoupling and guaranteed delivery
- β Production patterns: retry, DLQ, idempotency, circuit breaker
- β Security controls at each layer (IAM, encryption, audit)
- β Observability: logging, tracing, metrics, alarms
- β How to adapt this pattern for your own use cases
Once the core works, you can add:
- SNS Notifications: Alert on critical events
- Lambda Remediation: Auto-respond to threats
- DynamoDB: Event history and analytics
- S3: Archive events for compliance
- EventBridge Archive: Replay events if needed
- Multi-Region: Cross-region failover
This pattern applies to:
- Threat Detection: Ingest CloudTrail, detect suspicious API calls
- Compliance Monitoring: Track configuration changes, audit events
- Incident Response: Correlate events, trigger auto-remediation
- Cost Optimization: Monitor unusual resource creation
- Access Management: Track role assumption, permission changes
- Questions? See RUNBOOK.md
- Deployment issues? See DEPLOYMENT.md
- Code issues? Check tests/ directory for examples
Built for AWS Cloud Security UserGroup West Africa