Security Runbook Agent

AI-powered security automation using AWS Step Functions and Bedrock AgentCore to detect, enrich, and remediate threats with human approval for critical incidents.

Comment

Inspiration

Most organizations struggle with manual security incident response. Security teams waste time on repetitive tasks like threat detection, classification, and remediation. We wanted to automate this workflow while keeping humans in control for critical decisions.

What I Built

An automated security incident response platform using AWS Step Functions to orchestrate three Lambda functions. It enriches threats with real-time intelligence, classifies severity automatically, and uses Bedrock AgentCore for browser-based remediation. Critical alerts require human approval via SNS email notifications before action.

What it does

The system automatically responds to security threats in real-time. When a security alert comes in, it enriches the threat data with real-time intelligence, classifies the severity level, and decides if action is needed. For low-level threats, it acts immediately. For critical threats, it sends an email to security teams for approval before taking action. Once approved, it automatically executes remediation using browser automation powered by Bedrock AgentCore. Everything is logged and monitored in CloudWatch.

How we built it

1) Architecture: We used AWS Step Functions as the orchestrator to connect three Lambda functions that handle different stages of incident response.

2) Enrichment: The first Lambda enriches incoming alerts with threat intelligence data.

3) Classification: The second Lambda analyzes the enriched data and assigns a severity score.

4) Decision Logic: Step Functions uses a choice state to route based on severity. Low threats bypass approval, critical threats go through SNS email approval.

5) Automation: The third Lambda uses Bedrock AgentCore Browser Tool to simulate security actions like IP quarantine and device isolation.

6) Storage: We use DynamoDB to store execution state so nothing is lost if a process fails.

7) Notifications: SNS sends email approvals to security teams for critical incidents.

8) Monitoring: CloudWatch Logs and Dashboards track all Lambda execution and provide real-time metrics.

9) Testing: We tested three scenarios—low severity alerts, high severity with approval, and error handling—all end-to-end through the AWS console.

Challenges we ran into

1) Integration Complexity: Connecting Bedrock AgentCore with Lambda and Step Functions required understanding serverless architecture patterns.

2) Approval Workflow: Implementing human-in-the-loop where the system pauses and waits for email approval was tricky.

3) CloudWatch Setup: Configuring proper logging and metrics for observability took time but proved essential for debugging.

What we learned

1)AWS Step Functions orchestration and choice states

2) Bedrock AgentCore integration for AI-driven automation

3) Event-driven serverless architecture best practices

4) Testing end-to-end workflows with multiple AWS services

5) Importance of observability in production systems

Built With

  • aws-bedrock-agentcore
  • aws-cdk
  • aws-lambda
  • aws-step-functions
  • cloudwatch
  • dynamodb
  • eventbridge
  • python-3.11
  • sns
Share this project:

Updates