DEV Community: Shiva Sai Peddy

🚀 Streamlining Infrastructure Management and Enhancing End User Geolocation with AWS ECS, Lambda, and CloudFront

Shiva Sai Peddy — Sun, 01 Jun 2025 15:47:22 +0000

In this article, I’ll walk you through the architecture and implementation details of an application hosted on AWS ECS (using the Fargate launch type). We’ll explore how to build a CI/CD pipeline with AWS services like CodePipeline and CodeBuild, containerize our application, and add a geolocation feature using AWS Lambda, CloudFront, and S3. Let’s dive in!

1️⃣ Introduction

Managing infrastructure at scale can be challenging. Our goal was to:
✅ Simplify deployment using a serverless container approach.
✅ Automate the entire CI/CD pipeline.
✅ Enhance the application by identifying the geolocation of end users using CloudFront logs and Lambda.

2️⃣ Architecture Overview

Here’s a high-level look at the architecture:

GitHub Repository: Stores the source code.
AWS CodePipeline: Manages the CI/CD workflow.
AWS ECR: Hosts Docker images.
AWS ECS (Fargate): Runs containerized applications in a serverless manner.
AWS Secrets Manager: Manages credentials securely.
AWS CloudFront: Serves the application with low latency.
AWS Lambda: Extracts and processes geolocation data.
Amazon S3: Stores CloudFront logs, build artifacts, and geolocation data.

3️⃣ CI/CD Workflow

Here’s how we automated the deployment pipeline:

🛠️ Build Stage:

CodePipeline detects changes in GitHub.
It triggers CodeBuild to:
- Fetch the latest code.
- Build a Docker image.
- Push the image to ECR using credentials from Secrets Manager.

🚀 Deploy Stage:

Upon a successful build, CodePipeline triggers the deploy stage.
ECS (Fargate) is updated with the latest Docker image.
ECS handles deployment seamlessly.

4️⃣ Geolocation Workflow

Here’s how we identify the geolocation of users:

CloudFront logs user request headers to S3.
An event trigger invokes AWS Lambda (Python).
- Lambda parses IP addresses from logs.
- Lambda queries a geolocation API for details.
- Lambda performs MapReduce on the data (aggregating results).
- The final geolocation data is stored in S3.

5️⃣ Implementation Details

Here’s a quick rundown on setup:

GitHub: Configure branches and CI/CD triggers.
CodePipeline: Define stages, source provider (GitHub), build settings (Docker), and deployment to ECS.
ECR: Create a repository to store Docker images.
ECS: Setup a Fargate cluster and service.
Secrets Manager: Store credentials securely.
IAM Roles: Allow CodePipeline to interact with AWS services.
CloudFront: Distribute content with low latency.
Lambda: Python script to extract and store geolocation.
S3: Store build artifacts and logs.

6️⃣ Benefits

✅ Serverless Deployment: No need to manage EC2 instances - thanks to Fargate.
✅ Automation: CI/CD reduces manual steps and errors.
✅ Scalability: Fargate and Lambda scale automatically.
✅ Security: Secrets Manager secures credentials.
✅ Low-Latency Content Delivery: CloudFront caches content at edge locations.
✅ Serverless Execution: Lambda runs code on-demand without servers.
✅ Object Storage: S3 is durable and scalable, perfect for logs and data.

7️⃣ Conclusion

This article shows how to effectively deploy an application on AWS ECS Fargate while enhancing user experience with geolocation tracking. Using services like CodePipeline, ECR, ECS, Secrets Manager, Lambda, CloudFront, and S3, we’ve built a secure, scalable, and automated deployment pipeline.

Here is the github repositort url for the application.

8️⃣ Future Plans

🔧 Implement Infrastructure as Code with AWS CloudFormation or Terraform.
🌍 Develop a custom geolocation API for advanced use cases.
📈 Add monitoring and alerting with AWS CloudWatch or third-party tools.
🌐 Enable cross-region replication for S3 to ensure data durability and disaster recovery.

Cloud Security Technologies: CSPM, CASB, CIEM, CWPP and CNAPP in the AWS Ecosystem

Shiva Sai Peddy — Sun, 25 May 2025 17:02:57 +0000

As more companies move to the cloud, new security challenges are emerging. When using cloud service providers like Amazon Web Services (AWS), it's important to protect everything from misconfigured resources to user access, application workloads, and data shared with SaaS platforms.

To address these challenges, four core categories of cloud security technologies have emerged:

CSPM - Cloud Security Posture Management
CASB - Cloud Access Security Broker
CIEM - Cloud Infrastructure Entitlement Management
CWPP - Cloud Workload Protection Platform
CNAPP - Cloud-Native Application Protection Platform

In this post, we’ll break each one down and explore how AWS supports or integrates with these models, including use cases and tools.

🛡️ 1. Cloud Security Posture Management (CSPM)

🎯 Purpose

CSPM tools continuously monitor and assess cloud resources to identify misconfigurations and ensure compliance with policies or regulatory standards.

✅ Capabilities

Identify insecure or non-compliant configurations
Enforce security baselines (e.g., CIS, NIST)
Enable auto-remediation
Provide multi-account, multi-region visibility

🔧 AWS Native Tools

AWS Config - Rule based compliance tracking
AWS Security Hub - Aggregates security findings
Amazon GuardDuty - Detects threats from poor posture
AWS Trusted Advisor - Security best practice checks

💡 Example

Security Hub detects an S3 bucket with public read access. AWS Config automatically triggers a remediation to revoke access.

🔐 2. Cloud Access Security Broker (CASB)

🎯 Purpose

CASB platforms sit between users and cloud services (typically SaaS) to enforce security policies and monitor data transfers.

✅ Capabilities

Shadow IT discovery
DLP enforcement (e.g., sensitive file sharing)
Threat detection (e.g., compromised accounts)
OAuth app control

🚫 AWS Native Support

AWS does not provide a native CASB. However, CASBs can integrate with:

AWS IAM (for access control)
AWS CloudTrail (for user activity logs)
Amazon S3 (for DLP enforcement)

💡 Example

A CASB detects a file containing PII being uploaded to a personal Dropbox account and blocks the transfer.

🔗 Popular Vendors

Microsoft Defender for Cloud Apps
Netskope
McAfee MVISION Cloud
Palo Alto Prisma SaaS

👤 3. Cloud Infrastructure Entitlement Management (CIEM)

🎯 Purpose

CIEM helps manage identity permissions, ensuring users and workloads follow least privilege access principles.

✅ Capabilities

Visualize access across accounts/services
Detect overprivileged roles or unused permissions
Automate rightsizing policies
Govern third-party access

🔧 AWS Native Tools

IAM Access Analyzer - Flags unused or risky permissions
Access Advisor - Reports last-used permissions
AWS Identity Center (SSO) - Central access management
Service Control Policies (SCPs) - Organization-wide access limits

💡 Example

A Lambda function has AdministratorAccess but only sends messages to SQS. IAM Access Analyzer flags this, and a policy update is suggested.

🔗 Popular Vendors

Sonrai Security
Ermetic
CyberArk
SailPoint
Microsoft CloudKnox

🧩 4. Cloud Workload Protection Platform (CWPP)

🎯 Purpose

CWPP focuses on securing workloads such as VMs, containers, serverless functions whether running in cloud, on-prem, or hybrid environments.

✅ Capabilities

Runtime protection of EC2, ECS, Lambda, etc.
File integrity monitoring
Host-level anomaly detection
Application allow/deny listing
Vulnerability and malware detection

🔧 AWS Native Tools

Amazon Inspector - Finds vulnerabilities in EC2 and container images
Amazon GuardDuty - Detects suspicious behavior and malware
AWS Systems Manager - Manages patches and configurations
AWS CloudTrail + Config - Provide forensic context and change tracking

CWPP often overlaps with CNAPP in functionality, especially in runtime protection and vulnerability management.

💡 Example

GuardDuty detects unusual login attempts on an EC2 instance, and Systems Manager is used to temporarily block access and investigate.

🔗 Popular Vendors

Trend Micro
CrowdStrike Falcon Cloud Workload
Prisma Cloud Compute
Aqua Security
SentinelOne

🔒 5. Cloud-Native Application Protection Platform (CNAPP)

🎯 Purpose

CNAPP unifies multiple security layers - CSPM, CWPP (workload protection), and CIEM to provide full stack security across the application lifecycle.

✅ Capabilities

Image/container vulnerability scanning
Identity and access analysis
Runtime workload protection
Shift-left security via CI/CD integration

🔧 AWS Native Tools

Amazon Inspector - Vulnerability scanning (EC2, ECR)
Amazon GuardDuty - Threat detection
AWS Security Hub - Centralizes alerts
AWS CodeWhisperer / CodeGuru - Secure code generation/analysis
IAM Access Analyzer - Identity assessment

📝 Note: AWS does not provide a single CNAPP platform, but you can build one using these services or integrate a third-party CNAPP.

💡 Example

Amazon Inspector flags a vulnerable container image. GuardDuty later detects outbound traffic to an unknown domain. These are correlated in Security Hub.

🔗 Popular Vendors

Wiz
Prisma Cloud (Palo Alto)
Orca Security
Lacework
Microsoft Defender for Cloud

📊 Summary Table

Category	Function	AWS Native Support	Example
CSPM	Config & compliance	✅ AWS Config, Security Hub	Public S3 bucket auto-remediated
CASB	SaaS visibility & DLP	❌ 3rd-party only	Block PII upload to Dropbox
CIEM	Identity entitlement control	✅ IAM Analyzer, SSO, SCPs	Detect & fix overprivileged roles
CWPP	Workload runtime protection	✅ Inspector, GuardDuty, SSM	Detect & Block unusual login attempts on EC2
CNAPP	App lifecycle protection	⚠️ Partial (Inspector, GuardDuty)	Scan ECR image & detect threats

🔚 Final Thoughts

No single tool or platform can secure your cloud environment alone. By leveraging technologies like CSPM, CASB, CIEM, CWPP, and CNAPP and integrating them with AWS-native services, you can build a layered, scalable cloud security strategy.

🔐 Stay proactive. Secure continuously. Build securely.

A Simple AWS-Powered Clinic Appointment System App Using Docker and SNS

Shiva Sai Peddy — Fri, 16 May 2025 20:42:52 +0000

Deploying full-stack applications on AWS doesn’t have to be overwhelming.

In this article, I’ll show how I built a basic Clinic Appointment Management System using Docker, FastAPI, and a few core AWS services. The app lets patients book appointments online, sends real-time notifications, and provides a secure way for admins to manage data - all in a lightweight and scalable setup.

If you're looking to get hands-on experience with deploying microservices on AWS, this beginner-friendly project is a great place to start!

Project Overview

This system enables:

Patients to book appointments via a simple web UI.
Real-time SMS/email notifications using AWS SNS.
Admins to access the backend securely through OpenVPN.

With its lightweight and modular setup, this architecture is well-suited for beginners and rapid prototyping.

AWS Architecture Overview

1. VPC Setup

CIDR Block: 12.0.0.0/16
Split into Public and Private subnets for better isolation and control.
Internet Gateway for public services.
NAT Gateway to allow private instances to access the internet securely (for updates, etc.).

2. Public Subnet Components

Application Load Balancer (ALB)

Routes incoming traffic (HTTP/HTTPS) to backend services.
Secured via security groups that limit access to only web ports.

OpenVPN Server

Deployed on an EC2 instance with an Elastic IP.
Allows secure, encrypted access to internal services.
Only accessible on UDP Port 1194.

3. Private Subnet Components

This is where the core application logic lives - isolated from the internet.

Dockerized Microservices

Deployed on an EC2 instance using Docker Compose, the system includes:

Service	Port	Description
Frontend	8000	Public-facing web UI
Patient Service	8001	Manages patient registration/data
Doctor Service	8002	Manages doctors and schedules
Appointment Service	8003	Handles bookings and availability
Notification Service	8004	Sends confirmations via SNS

Each service uses a lightweight python3.12-slim base with FastAPI + Uvicorn for rapid performance.

PostgreSQL Database

Dockerized inside the private subnet.
Stores patient, doctor, and appointment records.
Only accessible from within the VPC.

4. Admin Access with OpenVPN

Admins connect via a VPN client to access the private network.
Once authenticated, the admin accesses the PostgreSQL instance within the private subnet using a SQL client.
No direct database exposure to the internet - ever.

5. DNS & Multi-AZ Load Balancing

The Application Load Balancer provides a DNS endpoint for the frontend.
Services are deployed across multiple Availability Zones (us-east-1a & us-east-1b) to increase resilience.

6. Real-Time Notifications with AWS SNS

The Notification Service integrates with AWS SNS to send:
- SMS messages
- Email confirmations
SNS scales automatically and ensures reliable message delivery.

7. Security Practices

Security is built-in, not bolted on:

IAM Roles & Policies: Restrict and manage AWS access.
Security Groups: Only necessary ports are open.
Private Subnets: Critical services are not internet-facing.
OpenVPN: Admins can only access internal systems after authentication.

8. Monitoring & Observability

AWS CloudWatch tracks:
- EC2 metrics
- SNS delivery logs
- Application logs from microservices

This helps in performance tuning and alerting.

9. Designed for Scalability

Load Balancer enables horizontal scaling of services.
Docker Microservices can be updated independently.
SNS automatically handles messaging load increases.

10. Future Enhancements

Here’s what’s next on the roadmap to make this production-ready:

✅ Add HTTPS support using SSL on the Load Balancer.
✅ Use AWS RDS for managed PostgreSQL.
✅ Build a CI/CD pipeline (AWS CodePipeline).
✅ Migrate to ECS or EKS for better container orchestration.
✅ Use Route 53 for domain-level routing.
✅ Enable WAF, GuardDuty, Inspector for advanced security.
✅ Set up alerting for downtime or intrusions.

💬 Final Thoughts

This project taught me how to combine infrastructure best practices with microservices architecture, all while staying secure and scalable. It’s a solid base for health tech applications, appointment systems, and even e-commerce platforms. Here is the github repository url for the application.

If you're starting your journey with AWS, Docker, or cloud security, this architecture offers a hands-on example with real-world value.

Let me know what you think - and I’d love to hear how you would extend or improve this setup!