This project implements an automated cloud-native security response system that detects SSH brute-force attempts on a Bastion host and automatically blocks attacker IP addresses using AWS Network ACL rules.
The system is built using an event-driven serverless architecture powered by CloudWatch Logs and AWS Lambda.
- Detects failed SSH authentication attempts
- Extracts attacker IP addresses from logs
- Automatically creates NACL deny rules
- Blocks attackers at network layer
- Fully serverless detection pipeline
- Real-time automated response
- Amazon EC2 (Bastion + Private Web Server)
- VPC (Custom Networking)
- Network ACL (Dynamic IP Blocking)
- Application Load Balancer
- CloudWatch Logs
- CloudWatch Agent
- AWS Lambda
- IAM Roles & Policies
This project implements an automated cloud-native security response system that detects SSH brute-force attempts on a Bastion host and automatically blocks attacker IP addresses using AWS Network ACL rules.
The system is built using an event-driven serverless architecture powered by CloudWatch Logs and AWS Lambda.
- Detects failed SSH authentication attempts
- Extracts attacker IP addresses from logs
- Automatically creates NACL deny rules
- Blocks attackers at network layer
- Fully serverless detection pipeline
- Real-time automated response
- Amazon EC2 (Bastion + Private Web Server)
- VPC (Custom Networking)
- Network ACL (Dynamic IP Blocking)
- Application Load Balancer
- CloudWatch Logs
- CloudWatch Agent
- AWS Lambda
- IAM Roles & Policies
Internet Attacker │ ▼ Bastion Host (Amazon Linux 2023) │ ▼ rsyslog → /var/log/secure │ ▼ CloudWatch Agent │ ▼ CloudWatch Log Group (Bastion-SSH-Logs) │ ▼ CloudWatch Trigger │ ▼ AWS Lambda │ ▼ Network ACL Auto DENY Rule │ ▼ Attacker Blocked
- Attacker attempts SSH login to Bastion host
- Failed authentication logged in
/var/log/secure - CloudWatch Agent ships logs to CloudWatch
- CloudWatch triggers Lambda function
- Lambda extracts attacker IP using regex
- Lambda creates DENY rule in Network ACL
- Attacker IP is blocked at network layer
OS: Amazon Linux 2023
Installed Components: rsyslog CloudWatch Agent
Log File Used: /var/log/secure
Detects multiple SSH failure patterns:
- Failed password
- Invalid user
- Disconnected from invalid user
- Authentication failure
Extracts IPv4 using regex and blocks using: ec2.create_network_acl_entry()
Simulated by:
- Attempting SSH login without private key
- Using invalid usernames
- Repeating login attempts
Example log captured: Invalid user admin from 1xx.xxx.xxx.xxx Disconnected from invalid user admin 1xx.xxx.xxx.xxx
Check log group: Bastion-SSH-Logs
Look for: Lambda triggered IP FOUND Blocking IP
New rule should appear: DENY /32 → Port 22
/lambda ssh_nacl_auto_block.py
/README.md
- Uses fixed NACL rule number
- No automatic unblock timer
- No failure threshold before blocking
- No attacker history storage
- DynamoDB attacker tracking
- Auto unblock after timeout
- Failure threshold detection
- Security dashboard
- Slack / Email alerts
- Terraform Infrastructure as Code version
- Event-driven cloud security automation
- AWS networking security controls
- CloudWatch log monitoring pipelines
- Serverless security response design
- Real-time threat detection architecture
AWS Cloud Security Hands-On Project
Consider starring ⭐ the repository.