AWS Cloud Security UserGroup West Africa
Session Date: May 2, 2026 | 60-Minute Workshop
Topic: Build an event-driven system using EventBridge + Lambda + SQS
This project demonstrates a production-grade, security-focused event-driven system that ingests, enriches, scores, and processes security events in real-time using AWS EventBridge, Lambda, and SQS.
A complete event triage pipeline that:
- ✅ Routes suspicious activity events in real-time
- ✅ Enriches events with context (user, account, geo, asset metadata)
- ✅ Scores threat risk (0–100)
- ✅ Queues for reliable processing with guaranteed delivery
- ✅ Handles failures gracefully (retries, DLQ, circuit breaker)
- ✅ Provides full observability (X-Ray, CloudWatch, structured logs)
- ✅ Follows production best practices (least-privilege IAM, encryption, idempotency)
Events → EventBridge Rules → Lambda Enrichment/Scoring → SQS → Lambda Worker → Audit Trail
- AWS Account with admin access (or sufficient permissions for EventBridge, Lambda, SQS, CloudWatch, X-Ray)
- AWS CLI v2 configured
- Python 3.11+
- Node.js 18+ (for AWS CDK)
- Docker (optional, for LocalStack testing)
# Clone repo
git clone https://github.com/<owner>/<repo>.git
cd <repo>
# Install CDK dependencies
npm install -g aws-cdk
# Create Python virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install Python dependencies
pip install -r infrastructure/cdk/requirements.txt
pip install -r scripts/requirements.txt
# Install function dependencies
for func in functions/enricher functions/scorer functions/worker; do
pip install -r $func/requirements.txt --target $func/package
donecd infrastructure/cdk
cdk deploy --require-approval never# Send sample events to EventBridge
./scripts/send_events.sh
# Watch logs in real-time
./scripts/monitor.sh./scripts/destroy.sh.
├── infrastructure/
│ ├── cdk/
│ │ ├── app.py # Main CDK application
│ │ ├── eventbridge_stack.py # EventBridge resources
│ │ ├── lambda_stack.py # Lambda functions
│ │ ├── sqs_stack.py # SQS queues
│ │ ├── iam_stack.py # IAM roles & policies
│ │ ├── monitoring_stack.py # CloudWatch & X-Ray
│ │ └── requirements.txt
│ └── outputs/ # Deployed resource outputs
│
├── functions/
│ ├── enricher/
│ │ ├── lambda_function.py # Enrichment logic
│ │ ├── requirements.txt
│ │ └── tests/
│ │
│ ├── scorer/
│ │ ├── lambda_function.py # Risk scoring logic
│ │ ├── requirements.txt
│ │ └── tests/
│ │
│ ├── worker/
│ │ ├── lambda_function.py # SQS consumer & processor
│ │ ├── requirements.txt
│ │ └── tests/
│ │
│ └── shared/
│ ├── logger.py # Structured logging
│ ├── validator.py # Event validation
│ ├── idempotency.py # Idempotent processing
│ └── constants.py # Constants & config
│
├── events/
│ ├── sample_events.json # Test event collection
│ └── schema.json # EventBridge schema
│
├── tests/
│ ├── unit/ # Unit tests for each Lambda
│ ├── integration/ # End-to-end flow tests
│ └── chaos/ # Failure scenario tests
│
├── scripts/
│ ├── deploy.sh # Deploy infrastructure
│ ├── send_events.sh # Simulate events
│ ├── monitor.sh # Watch logs/metrics
│ └── destroy.sh # Cleanup
│
├── docs/
│ ├── ARCHITECTURE.md # Design decisions
│ ├── DEPLOYMENT.md # Step-by-step guide
│ ├── RUNBOOK.md # Troubleshooting
│ └── PRODUCTION_CHECKLIST.md # Pre-production readiness
│
└── .gitignore
- Least-Privilege IAM: Each component has minimal required permissions
- Encryption: KMS for SQS, TLS in-flight, no secrets in code
- Audit Trail: Every event logged with correlation ID
- Schema Validation: Events validated against contract before processing
- Retry Strategy: Exponential backoff, max 2 attempts per rule
- Dead-Letter Queues: Failed events captured for investigation
- Idempotent Processing: Same event processed twice = same outcome
- Circuit Breaker: Stop retrying if target repeatedly fails
- CloudWatch Logs: Structured JSON logging
- X-Ray Tracing: End-to-end request flow visualization
- Metrics Dashboard: Event volume, latency, error rates
- Alarms: Alert on anomalies (queue depth, errors, latency)
- Infrastructure as Code: CDK for reproducible deployments
- Automated Tests: Unit, integration, and chaos scenarios
- Comprehensive Docs: Architecture, deployment, troubleshooting
- Cost Monitoring: Track spend per event type
| Document | Purpose |
|---|---|
| ARCHITECTURE.md | Design overview, decisions, data flows |
| DEPLOYMENT.md | Step-by-step deployment walkthrough |
| RUNBOOK.md | Operational guide and troubleshooting |
| PRODUCTION_CHECKLIST.md | Pre-launch readiness checklist |
# Unit tests
pytest tests/unit -v
# Integration tests
pytest tests/integration -v
# Chaos engineering tests
pytest tests/chaos -v
# All tests with coverage
pytest tests/ --cov=functionsAfter this workshop, you'll understand:
- ✅ How to design event-driven security pipelines
- ✅ EventBridge routing, filtering, and schema validation
- ✅ Lambda as a stateless event processor (best practices)
- ✅ SQS for decoupling and guaranteed delivery
- ✅ Production patterns: retry, DLQ, idempotency, circuit breaker
- ✅ Security controls at each layer (IAM, encryption, audit)
- ✅ Observability: logging, tracing, metrics, alarms
- ✅ How to adapt this pattern for your own use cases
Once the core works, you can add:
- SNS Notifications: Alert on critical events
- Lambda Remediation: Auto-respond to threats
- DynamoDB: Event history and analytics
- S3: Archive events for compliance
- EventBridge Archive: Replay events if needed
- Multi-Region: Cross-region failover
This pattern applies to:
- Threat Detection: Ingest CloudTrail, detect suspicious API calls
- Compliance Monitoring: Track configuration changes, audit events
- Incident Response: Correlate events, trigger auto-remediation
- Cost Optimization: Monitor unusual resource creation
- Access Management: Track role assumption, permission changes
- Questions? See RUNBOOK.md
- Deployment issues? See DEPLOYMENT.md
- Code issues? Check tests/ directory for examples
Built for AWS Cloud Security UserGroup West Africa