Lab: Automating Secure Network Infrastructure with CloudFormation and EventBridge
Automate and configure network infrastructure
Lab: Automating Secure Network Infrastructure with CloudFormation and EventBridge
In this lab, you will transition from manual network configuration to Infrastructure as Code (IaC). You will deploy a standardized VPC environment using AWS CloudFormation and implement an event-driven security layer that monitors and responds to network configuration changes using Amazon EventBridge and AWS Lambda.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for the provisioned resources.
Prerequisites
- AWS Account: Access to an AWS account with
AdministratorAccess. - AWS CLI: Installed and configured with
aws configureon your local machine. - Region: We will use
us-east-1(N. Virginia) for this lab. - Basic Knowledge: Familiarity with YAML and VPC concepts (Subnets, Route Tables).
Learning Objectives
- Deploy repeatable network infrastructure using AWS CloudFormation.
- Implement Event-Driven Networking to detect unauthorized Security Group changes.
- Use the AWS CLI to manage stack lifecycles.
- Understand the role of Lambda in automated network remediation.
Architecture Overview
This lab deploys a VPC with a public subnet, a Security Group, and an automation loop that logs changes to the network security posture.
Step-by-Step Instructions
Step 1: Create the Infrastructure Template
We will define our network as code. Create a file named network-lab.yaml on your local machine.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Network Automation Lab - VPC and Event-Driven Audit'
Resources:
LabVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags: [{Key: Name, Value: "BrainyBee-Lab-VPC"}]
LabSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Audit Target Security Group"
VpcId: !Ref LabVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0Step 2: Deploy the Network Stack
Deploy the template to create your core network infrastructure.
CLI Method:
aws cloudformation create-stack \
--stack-name brainybee-network-automation \
--template-body file://network-lab.yaml▶Console alternative
- Navigate to CloudFormation in the AWS Console.
- Click Create stack > With new resources (standard).
- Select Upload a template file and choose
network-lab.yaml. - Enter Stack name:
brainybee-network-automationand follow the wizard to Submit.
Step 3: Configure Event-Driven Monitoring
We will now automate the detection of "Drift" or manual changes. We want to know if someone manually opens port 22 (SSH) on our Security Group.
- Create a Lambda Function: Navigate to Lambda and create a function named
NetworkAuditHandler(Python 3.9). - Paste this Code:
import json
def lambda_handler(event, context):
print("Network Change Detected!")
print(f"Detail: {json.dumps(event['detail'])}")
return {'statusCode': 200}Step 4: Create the EventBridge Rule
CLI Method:
aws events put-rule \
--name "AuditNetworkChanges" \
--event-pattern '{"source":["aws.ec2"],"detail-type":["AWS API Call via CloudTrail"],"detail":{"eventSource":["ec2.amazonaws.com"],"eventName":["AuthorizeSecurityGroupIngress"]}}'[!NOTE] This rule requires CloudTrail to be enabled in your account to capture the API calls.
Checkpoints
| Verification Task | Command / Action | Expected Result |
|---|---|---|
| Stack Status | aws cloudformation describe-stacks --stack-name brainybee-network-automation | StackStatus is CREATE_COMPLETE |
| VPC Existence | Check VPC Console for BrainyBee-Lab-VPC | VPC exists with CIDR 10.0.0.0/16 |
| Event Trigger | Manually add a rule to the Security Group | Lambda log stream appears in CloudWatch |
Troubleshooting
| Error | Possible Cause | Fix |
|---|---|---|
ValidationError: Stack ... already exists | You ran the create command twice | Use update-stack or delete the old stack |
| Event not triggering | CloudTrail is not active | Ensure at least one Trail is active in the region |
| CLI Permission Denied | IAM user lacks cloudformation:* | Attach AdministratorAccess or specific networking/CFN policies |
Concept Review
| Service | Role in Automation | Alternative |
|---|---|---|
| CloudFormation | Declarative IaC for resource provisioning | Terraform, AWS CDK |
| EventBridge | The "Glue" that routes infrastructure events | SNS (Simple Notification) |
| Systems Manager | Automated patch/config management | Ansible, Chef |
Visual Infrastructure Map
\begin{tikzpicture}[node distance=2cm] \draw[thick] (0,0) rectangle (6,4); \node at (3,3.5) {\textbf{VPC (10.0.0.0/16)}}; \draw[dashed] (0.5,0.5) rectangle (5.5,2.5); \node at (3,2.2) {Public Subnet}; \node[draw, rounded corners, fill=orange!20] (sg) at (3,1.2) {Security Group}; \node[draw, circle, fill=blue!10] (igw) at (6.5,2) {IGW}; \draw[<->] (sg) -- (igw); \end{tikzpicture}
Teardown
To avoid costs, you MUST delete the resources created in this lab.
# 1. Delete the CloudFormation Stack
aws cloudformation delete-stack --stack-name brainybee-network-automation
# 2. Delete the Lambda Function
aws lambda delete-function --function-name NetworkAuditHandler
# 3. Delete the EventBridge Rule
aws events delete-rule --name "AuditNetworkChanges"Stretch Challenge
Challenge: Modify the Lambda function so that if it detects port 22 is opened to 0.0.0.0/0, it automatically calls the EC2 API RevokeSecurityGroupIngress to remove the rule. This is called Auto-Remediation.
▶Show Hint
Use the boto3 library in Lambda: ec2 = boto3.client('ec2') and parse the GroupId from the EventBridge event detail.
Cost Estimate
- VPC/Subnets: $0.00 (Standard AWS resources are free; you only pay for NAT Gateways or VPNs, which we didn't use).
- CloudFormation: $0.00 (Free for AWS resource providers).
- Lambda: ~$0.00 (Well within the 1 million free requests per month).
- Total Estimated Spend: $0.00 if torn down within the hour.