SecureEdgeOps is a cloud-native security solution that detects and blocks malicious actors in real time. By combining a honeypot system with AWS-native services and automation, this system boosts network security by over 35%. The project includes attack detection via Suricata and Wazuh and an automated AWS WAF IP blocker based on attacker IPs.
-
Cloud Services:
AWS S3, CloudFront, WAF, Lambda, CloudTrail, EventBridge, Systems Manager Parameter Store -
Security Tools:
Suricata (IDS/IPS), Wazuh (SIEM), Nmap -
Infrastructure as Code:
Terraform
SecureEdgeOps/
├── part1-honeypot/
│ ├── wazuh-manager-setup.md
│ └── suricata-agent-setup.md
├── part2-waf-automation/
│ ├── lambda/
│ └── terraform/
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── docs/
│ └── secureedgeops-architecture.png
└── README.md
The project is divided into two major parts:
Capture attacker IPs using a honeypot and log them for further analysis.
- VPC Setup: A single public subnet
- EC2-1 (Wazuh Manager):
- Centralized log collector and security information/event management
-
- EC2-2 (Honeypot):
- Installed Wazuh Agent to send logs to the manager
-
- Installed Suricata to detect suspicious network traffic
Automatically block malicious IPs identified from Part 1 using AWS-native automation.
- S3 Bucket: Hosts a static website
- CloudFront: CDN serving content globally
- WAF: Web Application Firewall attached to CloudFront
- IP Set: Stores attacker IPs to be blocked
- Parameter Store: Temporarily stores attacker IPs as parameters
- CloudTrail: Tracks changes to Parameter Store
- EventBridge: Triggers a Lambda function when IPs are added
- Lambda Function: Fetches IPs from Parameter Store and updates the WAF IP Set
Attacker IP → Parameter Store → CloudTrail → EventBridge → Lambda → WAF IP Set
-
IP Insertion
- An attacker IP (detected from Part 1) is entered into Parameter Store.
-
CloudTrail Logging
- CloudTrail tracks all API actions. It logs the PutParameter action.
- CloudTrail tracks all API actions. It logs the PutParameter action.
-
EventBridge Monitoring
- EventBridge is configured to listen to CloudTrail events where
PutParameteroccurs.
- Once such an event is detected, it triggers a Lambda function.
- EventBridge is configured to listen to CloudTrail events where
-
Lambda Execution
- The Lambda function:
- Fetches the new IP(s) from Parameter Store
- Updates the WAF's IP Set using the WAF API
- Adds the IP to the blocked list in near real-time
- The Lambda function:
-
WAF Enforcement
- AWS WAF immediately begins blocking requests from those IPs on the CloudFront distribution.
- AWS WAF immediately begins blocking requests from those IPs on the CloudFront distribution.
- Attacker scans ports on the honeypot EC2
- Suricata detects unusual traffic from IP
123.45.67.89 - Wazuh logs the alert
- You add
123.45.67.89to Parameter Store as a blocked IP - CloudTrail logs the
PutParameter - EventBridge detects this and triggers the Lambda
- Lambda updates the WAF's IP Set
- The attacker is now blocked from accessing your static website
- 🎯 Real-time detection and blocking of malicious IPs
- 🔍 Deep packet inspection using Suricata
- 🧠 Centralized logging and monitoring via Wazuh
- ☁️ Full AWS-native automation with zero manual intervention once IP is detected
- 💡 Modular architecture using Terraform for reproducibility
- Deploy Part 1 EC2 and configure Wazuh + Suricata
- Simulate attacks and extract attacker IPs
- Host static site on S3 + CloudFront
- Deploy WAF, IP Set, Parameter Store, and automation
- Add attacker IP to Parameter Store and verify WAF is blocking it
- Automate IP extraction from Wazuh alerts
- Create a web dashboard to view and manage blocked IPs
- Extend to notify via SNS or Slack on new blocked IPs
Yuvaraj K Final Year CSE, Dhanalakshmi Srinivasan Engineering College CNCF & Cloud Security Enthusiast GitHub • LinkedIn
Licensed under the MIT License