How I Built a Fully Functional Security Operations Center (SOC) on AWS in 7 Days – And You Can Too + Video

Listen to this Post

Featured Image

Introduction:

A Security Operations Center (SOC) is more than just a SIEM dashboard; it’s an integrated system of people, processes, and technology that continuously monitors, detects, and responds to threats. In this hands-on Capstone Cloud Security project, we built “SOC Sentinel” – a production-like SOC prototype on AWS using Python, Flask, Nmap, regex-based IDS rules, live SSH log collection, and automated alerting, all while respecting the architectural depth that separates a toy lab from a real-world SOC.

Learning Objectives:

  • Deploy a cloud-based SOC lab on AWS with isolated VPC, public/private subnets, and hardened EC2 instances.
  • Automate vulnerability scanning (Nmap + CVSS scoring) and real-time intrusion detection using regex and Python.
  • Build a live Flask dashboard with REST API, Server-Sent Events, and integrated email/Slack alerts for critical threats.

You Should Know:

  1. Laying the Groundwork – AWS Network & Host Hardening

A real SOC starts with a secure, well-architected cloud environment. We built the following on AWS:

  • VPC with CIDR 10.0.0.0/16, no default VPC settings.
  • Two subnets: public (10.0.1.0/24) for a bastion/jump host, private (10.0.2.0/24) for the SIEM server and vulnerable targets (Metasploitable 2, DVWA).
  • Security Groups:
  • Bastion SG: Allow SSH (22) from your IP only.
  • SIEM SG: Allow SSH from bastion, HTTP (5000) from bastion, and outbound to targets.
  • Target SG: Allow SSH from SIEM, HTTP from SIEM.
  • IAM Roles: Attach `CloudWatchLogsFullAccess` and `SES` (for email) to the SIEM EC2 instance.
  • EC2 Instances:
    – `siem-server` (t2.medium, Ubuntu 22.04) – runs the Python collector, IDS, Flask dashboard.
    – `target-1` (Metasploitable 2) – intentionally vulnerable Linux.
    – `target-2` (DVWA on Ubuntu) – vulnerable web app.

Linux commands to verify setup:

 On SIEM server – check connectivity to targets
ping 10.0.2.10  Metasploitable IP
ping 10.0.2.20  DVWA IP
 Verify IAM role metadata (AWS CLI)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Windows alternative: If using Azure or on-prem, replace with Hyper‑V isolated switch and Windows Defender Firewall rules.

2. Automated Nmap Vulnerability Scanner with CVSS Scoring

Instead of manual scans, we created a Python script that runs daily via cron, scans target IPs, parses Nmap XML output, and assigns CVSS scores based on detected services.

Script snippet (`scan_engine.py`):

import nmap, json, xml.etree.ElementTree as ET
from cvss import CVSS2, CVSS3

nm = nmap.PortScanner()
results = nm.scan('10.0.2.10-20', arguments='-sV -O --script vuln')
for host in nm.all_hosts():
for proto in nm[bash].all_protocols():
ports = nm[bash][proto].keys()
for port in ports:
service = nm[bash][proto][bash]['name']
if 'apache' in service:
 Apache <2.4.49: CVE-2021-41773 CVSS 9.8
cvss = CVSS3('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H')
print(f'Critical: {host}:{port} - {service} | CVSS: {cvss.scores()[bash]}')
send_alert(host, port, service, cvss.scores()[bash])

Installation: pip install python-nmap cvss reportlab flask flask-sse

Step‑by‑step:

  1. Install Nmap: `sudo apt install nmap` (Linux) or download from nmap.org (Windows).
  2. Run the script manually: python3 scan_engine.py --targets 10.0.2.0/24.
  3. Automate with cron: `crontab -e` → 0 6 /usr/bin/python3 /opt/soc/scan_engine.py.

3. Real-Time IDS Engine Using Regex Rules

We built a lightweight, event‑driven IDS that tails live SSH logs, HTTP access logs, and system auth logs. It applies regex patterns to detect brute‑force SSH, port scans, and SQL injection attempts.

Log collector (`log_collector.py`):

import re, time, subprocess
from datetime import datetime

Regex rules
RULES = {
'ssh_bruteforce': r'Failed password for . from (\d+.\d+.\d+.\d+)',
'port_scan': r'DPT=\d+. SPT=\d+',
'sqli': r'(union select|-- |;.drop table)'
}

def tail_file(filepath):
proc = subprocess.Popen(['tail', '-F', filepath], stdout=subprocess.PIPE)
while True:
line = proc.stdout.readline().decode('utf-8')
for rule_name, pattern in RULES.items():
if re.search(pattern, line, re.IGNORECASE):
print(f'ALERT: {rule_name} at {datetime.now()} -> {line.strip()}')
send_slack_alert(rule_name, line)

Deploy:

 On SIEM server, tail logs from targets via SSHFS or rsyslog
sudo apt install sshfs
sshfs [email protected]:/var/log /mnt/target1_logs
python3 log_collector.py /mnt/target1_logs/auth.log

For Windows, use PowerShell’s `Get-Content -Wait` and regex matches.

  1. Flask Dashboard with Server‑Sent Events (SSE) and REST API

The dashboard provides a live view of all detections, scan results, and system health. We used Flask-SSE to push events from the backend to the browser without polling.

Flask app snippet (`app.py`):

from flask import Flask, render_template, request
from flask_sse import sse
import redis

app = Flask(<strong>name</strong>)
app.config['REDIS_URL'] = 'redis://localhost'
app.register_blueprint(sse, url_prefix='/stream')

@app.route('/api/alert', methods=['POST'])
def api_alert():
data = request.json
 Authenticate JWT token here
app.logger.warning(f'Alert received: {data}')
sse.publish(data, type='alert')
return 'OK', 200

@app.route('/dashboard')
def dashboard():
return render_template('dashboard.html')

Dashboard HTML (SSE client):


<script>
const source = new EventSource('/stream');
source.addEventListener('alert', (e) => {
const alert = JSON.parse(e.data);
document.getElementById('alerts').innerHTML += `<li>${alert.type}: ${alert.details}</li>`;
});
</script>

Run: `gunicorn -k gevent –worker-connections 1000 app:app`

  1. Automated Alerting (Email + Slack) for Critical Threats

When the scanner or IDS detects a CVSS score ≥ 7.0 or a regex match of severity “HIGH”, the system triggers alerts.

Email via AWS SES:

import boto3
client = boto3.client('ses', region_name='us-east-1')
def send_email(host, port, cvss):
client.send_email(
Source='[email protected]',
Destination={'ToAddresses': ['[email protected]']},
Message={'Subject': {'Data': f'CRITICAL: {host}:{port}'},
'Body': {'Text': {'Data': f'CVSS {cvss} detected.'}}}
)

Slack webhook:

import requests
def send_slack_alert(msg):
webhook = 'https://hooks.slack.com/services/XXX'
requests.post(webhook, json={'text': msg})

Step‑by‑step integration:

1. Create Slack app and incoming webhook.

2. Add AWS SES email domain verification.

  1. Set up a listener thread inside the Flask app that calls these functions upon alert events.

6. Professional PDF Report Generation with ReportLab

After each daily scan or on demand, the system generates a PDF report containing detected vulnerabilities, CVSS scores, remediation steps, and a timeline of IDS events.

Report generator (`report.py`):

from reportlab.lib.pagesizes import letter
from reportlab.pdfgen import canvas
from reportlab.lib import colors

def generate_report(vulns, alerts):
c = canvas.Canvas('soc_report.pdf', pagesize=letter)
c.drawString(100, 750, 'SOC Sentinel – Daily Security Report')
y = 720
for v in vulns:
c.drawString(100, y, f' - {v["host"]}:{v["port"]} | CVSS {v["cvss"]}')
y -= 15
c.save()

Automation: Run after each scan and email the PDF to the SOC analyst using SES.

7. CloudWatch Logs Centralization and Retention

All logs from the SIEM server and targets are streamed to AWS CloudWatch Logs for long‑term storage and searchability.

On each EC2 instance (Linux):

sudo apt install amazon-cloudwatch-agent
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

Sample config `/opt/aws/amazon-cloudwatch-agent/etc/config.json`:

{
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{"file_path": "/var/log/auth.log", "log_group_name": "SOC-Auth", "log_stream_name": "{instance_id}"}
]
}
}
}
}

Then start: `sudo systemctl start amazon-cloudwatch-agent`

What Undercode Say:

  • Key Takeaway 1: Building a functional SOC prototype in a week is achievable by combining open‑source tools (Nmap, Python, Flask, ReportLab) with cloud infrastructure (AWS VPC, EC2, IAM, CloudWatch, SES). This project bridges the gap between theory and hands‑on defense.
  • Key Takeaway 2: A true SOC requires more than technology – it needs defined processes (alert triage, incident response playbooks) and skilled personnel (analysts, threat hunters). The comment by Sammuel DIEDHIOU rightfully clarifies that deploying a SIEM (or this SIEM‑like dashboard) is only one pillar; organizational maturity and 24/7 coverage are equally critical.

Nevertheless, projects like SOC Sentinel give aspiring security engineers the muscle memory to later scale into a full enterprise SOC. The ability to automate vulnerability scanning, write custom IDS rules, and pipe alerts to Slack/email directly translates to daily SOC analyst work.

Prediction:

As cloud adoption accelerates, we will see a surge of lightweight, “SOC‑in‑a‑box” solutions built on serverless architectures (Lambda, EventBridge, S3) rather than static EC2 fleets. Automated playbooks using AI (LLMs) to enrich alerts and suggest remediation will become the standard. However, the core challenge will remain the same: separating true positives from noise and integrating human judgment – something no Python script can yet replace. The next five years will force SOC teams to become “automation engineers” first, analysts second, or risk drowning in alerts.

▶️ Related Video (68% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky