Skip to content

Cloud Security / Detection Engineering

Cloud Detection & Alerting Pipeline

Built and tuned a cloud detection and alerting workflow that connected cloud security findings to actionable notifications while reducing low-value noise.

AWSTerraformDetection EngineeringSecurity Automation

Problem

Cloud security tools generated high volumes of alerts, many of which were low-value or duplicated. On-call engineers spent excessive time triaging noise instead of responding to real threats.

Constraints

Small security team, limited on-call bandwidth, multiple AWS accounts, need to maintain compliance visibility while reducing alert fatigue.

Approach

Built a Terraform-managed detection and alerting pipeline that ingested findings from cloud security services, applied suppression logic for known low-value patterns, and routed actionable alerts through event-driven notification paths.

Outcome

Reduced false positives by 60%, improved on-call signal quality, and established a repeatable pattern for adding new detection rules without increasing toil.

Terminal

~/security/notes
# GuardDuty finding hits EventBridge rule
$ aws events put-rule --name guardduty-high-sev \
$ --event-pattern '{"source":["aws.guardduty"],"detail":{"severity":[{"numeric":[">",7]}]}}'
RuleArn: arn:aws:events:us-east-1:***:rule/guardduty-high-sev
# lambda enriches the finding and routes to slack + pagerduty
$ aws lambda invoke --function-name security-alert-router /dev/stdout
{"routed": true, "channel": "#sec-alerts", "pagerduty": "P1", "suppressed": false}
# suppression check: known benign pattern? skip the page.
$ cat suppression-rules.json | jq '.rules | length'
47
# 47 suppression rules, each validated against real incidents

Tools

AWSTerraformGuardDutySecurity HubEventBridgeSNSLambda

Key Highlights

  • Event-driven security notifications
  • Terraform-managed workflow
  • Cloud security finding ingestion
  • Auto-suppression for low-value findings
  • Reduced on-call toil without losing signal
Details are intentionally sanitized to protect employer and client confidentiality.