Ambient Intelligence · Cybersecurity

AWS Security

Event-driven Security Hub alerting pipeline with zero-trust GitOps. Architecture → IAM → Build → Deploy → Validate.

ambientintel/ambientcyber

Plan

Build

Deploy

Validate

Goal

Region

us-east-1 / us-east-2

Security alerts · ETL pipeline

Runtime

Python 3.12

Lambda + PySpark (Glue)

IaC

Terraform v1.10+

S3 native locking · no DynamoDB

Auth

GitHub OIDC

No stored AWS keys · main-branch gated

Standard

Zero-trust / Least-priv

PHI bucket denied · scoped resource ARNs

STEP 01

Plan⏱ ~1 day

Complete

Architecture Review

Event-driven AWS Security Hub alerting pipeline designed and approved. Three-module Terraform architecture: security-alerts (EventBridge → Lambda → Secrets Manager), ETL (Glue + PySpark radar merge), and deploy-role (OIDC trust). Serverless-only — no EC2, no ECS, no NAT gateways.

Component	AWS Service	Purpose
Event router	Amazon EventBridge	Filter Security Hub findings: FAILED + ACTIVE + CRITICAL/HIGH + NEW workflow status
Compute	AWS Lambda (Python 3.12)	Secret retrieval + payload transform + Google Chat delivery + write-back
Secret store	AWS Secrets Manager	Zero-knowledge webhook URL — value stored manually in Console, never in Git
Access control	IAM (OIDC + least-priv)	GitHubActions-Terraform-Role + Lambda execution role, PHI bucket explicitly denied
CSPM source	AWS Security Hub	Aggregates AWS Config compliance findings; BatchUpdateFindings API for write-back
Data processing	AWS Glue + PySpark	Radar data synchronization: radar_A2/B2/C2 → unified Parquet, sorted by timestamp
State backend	Amazon S3 (native lock)	Terraform remote state with use_lockfile = true (Terraform v1.10+, no DynamoDB needed)

Stage	Actor	Action	Latency
Detection	AWS Config	Evaluate resource compliance against managed rules	~5–15 min
Ingestion	Security Hub	Import finding from AWS Config; assign severity label	Seconds
Routing	EventBridge	Match rule: FAILED + ACTIVE + CRITICAL/HIGH + Workflow=NEW	< 1 s
Processing	Lambda	Fetch webhook secret + format Google Chat card + POST to webhook	~2–3 s
Notification	Google Chat	Card delivered to security channel	< 1 s
Deduplication	Security Hub	BatchUpdateFindings sets Workflow.Status = NOTIFIED — no re-fire	Atomic

Artifacts

▸

README.md

Authoritative system overview — pipeline design, architecture components, OIDC pattern, ETL logic, and bootstrap instructions.

▸

modules/security-alerts/main.tf

EventBridge rule + Lambda + Secrets Manager + IAM execution role — the complete alerting pipeline.

▸

modules/ETL/main.tf

Glue IAM role + S3 policy + script upload + Glue job definition for radar data synchronization.

▸

modules/deploy-role/main.tf

GitHubActions-Terraform-Role with OIDC trust policy and ambientcyber-terraform-deploy inline policy.

⚠

Alert fatigue: without the Workflow.Status = NEW filter in the EventBridge event pattern, every re-import of the same finding re-fires the Lambda. The BatchUpdateFindings write-back (NEW → NOTIFIED) is the deduplication mechanism — never remove it.

⚠

The ~15-minute detection latency is the AWS Config evaluation cadence, not a Lambda or EventBridge issue. Periodic Config rules evaluate every 15 minutes by default. Change-triggered rules evaluate faster but are not available for all security controls.

Pipeline Checklist

Complete76%

Open Decisions

◇Multi-channel alerting — current: Google Chat only. PagerDuty/OpsGenie integration for on-call escalation not yet wired; SNS fan-out would enable multiple destinations.

◇Multi-region finding aggregation — EventBridge rules are per-region. If Security Hub multi-region aggregation is enabled, a single rule in the aggregation region may be sufficient.

◇Glue job scheduling — currently triggered manually or ad hoc. EventBridge schedule (e.g., nightly) not yet configured for radar-timeline-merge.

◇CRITICAL vs HIGH severity routing — current: both routed identically. Separate Lambda or SNS topic for CRITICAL-only escalation (pager, SMS) not yet implemented.