How I built a real-time serverless security detection pipeline on AWS using CloudTrail, EventBridge, Lambda, DynamoDB, and SNS — and what broke along the way.
All source code for this project is on GitHub: aws-siem-detection-pipeline
Most cloud security tutorials show you how to turn on GuardDuty and call it a day. I wanted to better understand what actually happens under the hood. Things like how a detection pipeline routes an event, evaluates it, and fires an alert in real time? So I built one from scratch using AWS-native services, no managed threat detection, just CloudTrail, EventBridge, Lambda, DynamoDB, SNS, and some Python.
This is what I built, what broke, and what I'd do differently.
What I Was Trying to Detect
