See all projects
Wazuh + AWS
Configured Wazuh technology stack in EC2, alongside a full cloud-based AWS lab environment for observability and security.
Domains
Security Architecture and Engineering
Communication and Network Security
Asset Security
Tooling
Wazuh
Year
2025
Purpose and Scope
I deployed Wazuh as a centralized security monitoring platform, but the project's primary objective expanded to mastering AWS infrastructure security fundamentals. Using a single EC2 instance running the Wazuh manager and another hosting an agent-monitored dev server, I constructed a comprehensive cloud security stack within AWS—learning critical infrastructure-as-code patterns and secure architecture principles along the way. The project created a real-world security operations environment where I could detect vulnerabilities, monitor activity across my cloud footprint, and implement automated analysis of security telemetry. More importantly, it served as a vehicle to understand AWS security services holistically—from foundational IAM roles and VPC configurations to advanced GuardDuty features and CloudTrail integrations. By building Wazuh alongside a properly secured AWS foundation, I gained hands-on experience with enterprise-grade cloud security while maintaining a practical lab environment for continuous security testing and skill development.
Approach and Build
Implementation began with AWS infrastructure fundamentals—setting up secure VPC networking with isolated subnets, tight security groups allowing only essential traffic, and VPC endpoints to minimize public internet exposure. I created granular IAM roles following least-privilege principles and deployed SSM for secure server management without exposing SSH publicly. With infrastructure secured, I configured the Wazuh EC2 instance using an encrypted EBS volume, then established agent connectivity to other development server instances for vulnerability assessment using Wazuh's built-in scanning capabilities. The project's complexity grew as I integrated native AWS security services—directing CloudTrail logs to S3 buckets encrypted with KMS keys, configuring CloudWatch alarms to detect suspicious authentication patterns, and connecting GuardDuty with expanded capabilities like malware detection, S3 protection, and extended threat detection to monitor for data exfiltration attempts. To streamline interoperability with third-party security tools, I implemented Cloudflare CASB and Aikido CSPM for external verification of my security posture, creating a feedback loop to identify misconfigurations and compliance gaps. The entire build process emphasized immutable infrastructure principles, with infrastructure changes performed through the AWS Management Console and documented for reproducibility.
Lessons Learned
This project revealed that AWS security is less about implementing individual tools and more about creating a coherent security ecosystem with overlapping controls. While Wazuh offered valuable internal security visibility, the most significant security improvements came from properly implementing AWS native security services that directly integrate with the platform. Particularly valuable was learning how to properly structure CloudTrail logging—capturing both management and data events while ensuring logs remained tamper-evident through proper S3 bucket policies and encryption. The implementation of GuardDuty's extended threat detection capabilities demonstrated how sophisticated correlation between seemingly benign events can reveal potential attack patterns that might otherwise go unnoticed. The project highlighted how security groups, IAM policies, and VPC architecture decisions made early in a project fundamentally shape an environment's security posture. I discovered that properly architected AWS environments can provide defense-in-depth through complementary services—with each offering distinct but overlapping protection. This layered approach transforms security from a point solution into a resilient system where compromise of any single component doesn't lead to total defensive failure. My next planned enhancement involves leveraging EventBridge and Lambda to create automated response workflows for GuardDuty findings—transforming static security alerts into dynamic remediation actions that can isolate compromised resources or revoke exposed credentials.