Building a Serverless Security Monitoring Dashboard on AWS
Cloud security is one of the most critical aspects of modern infrastructure, yet traditional monitoring solutions are expensive, complex, and often over-engineered for smaller deployments. I decided to build a serverless security monitoring dashboard on AWS that demonstrates how event-driven architecture can provide enterprise-grade threat detection at minimal cost.
The result is a production-ready system featuring real-time event processing with DynamoDB Streams, 11 configurable threat detection rules, Slack integration for instant alerts, and Infrastructure as Code with AWS SAM. The entire system runs for $15-40 per month.
Why Event-Driven Serverless Security?
Traditional security monitoring relies on agents running on every server or network-wide packet analysis. Both approaches have significant downsides: agent-based solutions create operational overhead and security surface area, while network-based analysis is expensive and resource-intensive at scale.
Event-driven serverless architecture offers a third path. AWS CloudWatch can ingest security events from multiple sources, DynamoDB Streams process those events in real-time, and Lambda functions execute detection logic without requiring persistent compute resources. This approach is:
- Scalable: Automatically scales from 0 to thousands of events per second
- Cost-Effective: Pay only for events processed, not for idle compute
- Maintainable: No servers to patch or manage, simplified deployment with AWS SAM
- Flexible: Detection rules can be updated without redeployment
Architecture: Event-Driven Processing Pipeline
The system follows a classic event-driven serverless pattern with these key components:
Core Architecture Stack
- AWS Lambda: Functions for detection, alerting, and dashboard updates
- DynamoDB: Event storage and detection rule configuration
- DynamoDB Streams: Real-time event streaming to Lambda triggers
- API Gateway: REST API for dashboard queries and rule management
- CloudWatch: Centralized event collection and metrics
- SNS/Slack: Alert distribution and notifications
Event Flow
Security events enter the system through CloudWatch, which streams them to a DynamoDB table. DynamoDB Streams immediately trigger a Lambda function that evaluates events against detection rules. When a threat is identified, the system generates an alert, stores it in DynamoDB with a TTL for automatic cleanup, and sends notifications to Slack through an SNS integration.
A separate Lambda function runs on a schedule to aggregate metrics and update the dashboard API with real-time threat statistics.
Technical Implementation
Lambda Functions: The Detection Engine
The core detection logic runs in Python 3.13 Lambda functions. The event processor reads security events from DynamoDB Streams and applies a rule evaluation engine:
- Failed Authentication Attacks: Detects 10+ failed login attempts in 5 minutes
- Privilege Escalation Attempts: Identifies sudo or role assumption anomalies
- Unusual Network Activity: Flags connections to unusual ports or IPs
- API Key Exposure: Detects hardcoded credentials in logs
- DynamoDB Scan Abuse: Alerts on expensive table-wide scan operations
- IAM Policy Changes: Monitors permission modifications for drift
- CloudTrail Log Tampering: Detects deletion or modification of audit logs
- Cross-Account Access: Alerts on unexpected role assumptions from external accounts
- Data Exfiltration Patterns: Identifies large data transfers to unknown destinations
- Certificate Expiration: Warns before SSL/TLS certificates expire
- Configuration Drift: Detects unauthorized infrastructure changes
DynamoDB Streams: Real-Time Streaming
DynamoDB Streams enable real-time processing by automatically triggering Lambda functions when data changes. This decouples event ingestion from event processing - events are durably stored in DynamoDB while a stream processes them asynchronously.
The key technical challenge with Streams is that they don't support keyword queries (a DynamoDB limitation). The solution was to use a secondary index on event type and timestamp, allowing efficient retrieval of specific event categories for correlation and pattern detection.
CloudWatch Metrics & Dashboards
Each Lambda execution publishes custom metrics to CloudWatch:
- Event volume by type
- Detection rule matches per category
- Alert latency (time from event to alert)
- False positive ratios for rule tuning
These metrics power a real-time dashboard showing threat status at a glance.
Slack Integration
When a threat is detected, an SNS topic triggers a Lambda function that formats the alert and posts it to Slack. The integration includes:
- Rich message formatting with threat severity levels
- Contextual information (user, resource, timestamp)
- Links to relevant CloudTrail or CloudWatch logs
- Action buttons to acknowledge or escalate alerts
Key Technical Challenges & Solutions
DynamoDB Keyword Search Limitation
DynamoDB doesn't support partial string matching or full-text search. For detecting patterns like "IAM policy contains wildcard resource," we implemented a workaround using:
- Lambda pre-processing to extract searchable attributes before DynamoDB write
- Separate attribute fields for each searchable field (e.g., policy_has_wildcard: true/false)
- Global Secondary Indexes on these attributes for efficient querying
IAM Permission Granularity
Giving Lambda functions the minimum necessary permissions required careful design. Each detection function only has access to:
- Read access to the specific DynamoDB table it processes
- Write access for storing results (on a separate table or S3)
- SNS publish access to the alert topic
This principle of least privilege adds security but required documenting permission requirements for each function in the SAM template.
Efficient Event Correlation
Detecting sophisticated attacks requires correlating events across time and resources. For example, detecting privilege escalation might require matching a failed login pattern followed by a successful sudo execution. The solution used:
- A separate "correlation state" DynamoDB table tracking recent events per user
- TTL attributes to automatically clean up old correlation data
- Time-window based queries to look back 5-15 minutes for related events
Cost Optimization with TTL
DynamoDB storage costs can accumulate quickly with continuous event ingestion. We implemented:
- Automatic TTL: Events expire after 30 days, reducing storage costs by ~90%
- Archive to S3: Critical alerts are archived to S3 Glacier for long-term compliance
- Batch Reads: Dashboard queries batch read operations to reduce RCU consumption
- On-Demand Pricing: Use DynamoDB on-demand for unpredictable event volumes
Infrastructure as Code with AWS SAM
The entire infrastructure is defined in CloudFormation using AWS SAM (Serverless Application Model). This enables:
- Version-controlled infrastructure changes
- Reproducible deployments across environments
- Easy rollback if issues occur
- Clear documentation of all resources and their relationships
The SAM template includes resources for Lambda functions, DynamoDB tables with streams, API Gateway endpoints, SNS topics, and CloudWatch alarms - all deployed with a single `sam deploy` command.
Demo & Results
The system has been tested with synthetic security event workloads that simulate real-world threat scenarios. Watch the full demonstration video showing the dashboard, alert triggering, and Slack notifications:
Watch Demo Video: Serverless Security Monitoring Dashboard in Action (YouTube)
The demo walks through setting up threat detection rules, triggering simulated security events, seeing real-time alerts in Slack, and viewing aggregated metrics on the dashboard.
Performance Metrics
- Event Processing Latency: Average 47ms from event to DynamoDB write
- Alert Latency: Average 120ms from event to Slack notification
- Dashboard Query Response: Average 300ms for aggregated metrics over 7 days
- Monthly Cost: $22.50 average at 10K events/day, ranging $15-40 depending on volume
What I Learned: Serverless Security Insights
1. Serverless is Ideal for Security Monitoring
The event-driven nature aligns perfectly with security use cases. Events are discrete, time-sensitive, and bursty (quiet periods followed by alert storms). Serverless architecture handles this naturally without over-provisioning.
2. DynamoDB Streams Change the Architecture Game
Streams decouple ingestion from processing, creating a resilient two-stage pipeline. Events are safely stored before processing, and the stream's built-in retry logic handles transient Lambda failures. This is more elegant than traditional SQS-based patterns.
3. IAM is Complex But Essential
The most challenging part wasn't the detection logic - it was designing IAM roles that are both secure (minimal permissions) and functional (sufficient to do their job). This requires deep understanding of AWS service APIs and careful testing.
4. Cold Starts Matter for Real-Time Alerts
Lambda cold starts can add 500-1000ms to alert latency. For security monitoring, this is significant. Solutions included provisioned concurrency for critical functions, ephemeral storage for caching, and code optimization to minimize initialization overhead.
5. CloudWatch is Underestimated as an Event Source
Many people think of CloudWatch for logs and metrics only, but it's a powerful event streaming platform. Integration with EventBridge and Lambda enables sophisticated event routing and processing patterns.
Future Enhancements
Machine Learning Detection
Current detection rules are threshold-based and deterministic. Adding ML models for anomaly detection could identify sophisticated attacks that don't match obvious patterns. SageMaker integration would allow building models on historical event data.
Multi-Region Deployment
Extending monitoring across multiple AWS regions would require DynamoDB Global Tables for centralized alerting and a federated Lambda architecture to process events near their source.
AWS Security Service Integration
Direct integration with AWS Security Hub, GuardDuty, and Config would enable ingesting AWS-native threat findings and creating cross-service detection rules.
Interactive Dashboard
The current API supports a basic dashboard. A full web UI built with React would allow drill-down analysis, custom reporting, and easier rule management.
Getting Started: GitHub & Code
The complete source code is available on GitHub with detailed setup instructions, SAM templates, and examples:
GitHub Repository: security-monitor-dash
The repository includes:
- Complete SAM template with all AWS resources
- Python Lambda function source code
- Deployment scripts and configuration
- Unit tests for detection rules
- Documentation for extending with custom rules
Conclusion: Serverless for Security
Building a security monitoring system revealed how well serverless architecture aligns with security requirements. Real-time processing, automatic scaling, cost efficiency, and Infrastructure as Code create a compelling case for event-driven systems in the security domain.
This project demonstrates that enterprise-grade security monitoring doesn't require expensive SaaS platforms or complex on-premises infrastructure. A modern cloud-native approach with Lambda, DynamoDB, and API Gateway can deliver equivalent capabilities at a fraction of the cost.
More importantly, this stack is production-ready. It's not a proof-of-concept - it demonstrates actual cloud security implementation with 11 real detection rules, Slack integration, custom metrics, and Infrastructure as Code.
For anyone building on AWS, exploring serverless architecture, or interested in cloud security, this project showcases both the possibilities and the practical considerations of building event-driven systems.
Learn More
Explore the complete implementation on GitHub: security-monitor-dash
Watch the demo video: Serverless Security Monitoring Dashboard in Action (YouTube)