Secure Pull: Achieving Immutable Compliance with AWS Serverless Architecture
CLIENT
Secure Pull
YEAR
2026
Overview
Secure Pull, a cybersecurity consulting firm, needed a platform to ingest massive amounts of security scan data while maintaining strict regulatory compliance. We delivered a highly secure, Event-Driven Serverless architecture that automates audit trails, ingests variable data schemas without friction, and reduces the time-to-insight for critical security risks.
The Challenge
Secure Pull’s clients run automated security scanners that generate thousands of log entries in seconds.
Data Rigidity
Vulnerability data varies wildly between tools. Traditional relational databases required constant schema changes, slowing down development.
Compliance Risks
In the security industry, “Chain of Custody” is vital. If a risk status changed from “Critical” to “Safe,” there was no immutable record of who changed it and when.
Performance vs. Audit
Writing audit logs synchronously slowed down the dashboard, frustrating security analysts.
The Solution: Serverless & Event-Driven
We utilized Amazon DynamoDB for its flexible schema (NoSQL) and DynamoDB Streams to
enforce compliance. The architecture utilizes a Fan-Out pattern to handle security alerts and logging in parallel.
Amazon DynamoDB
Stores vulnerability findings with a flexible schema to accommodate various scanning tools.
DynamoDB Streams
Acts as the “Compliance Watchdog,” capturing the exact state of data before and after any modification.
Amazon SNS (Simple Notification Service)
Broadcasts critical alerts to multiple downstream systems instantly.
AWS Lambda (Graviton2)
Optimized compute for processing heavy JSON logs.
Architecture Workflow
Ingestion
Security scanners push findings to API Gateway.
Broadcasting
If a finding is “Critical,” Lambda publishes an event to SNS.
Parallel Actions (Fan-Out)
Path A: An email is immediately sent to the CISO via SNS.
Path B: The finding is written to DynamoDB for storage.
Compliance Logging
When a user updates a vulnerability status, DynamoDB Streams captures the “Old Image” and “New Image.” A dedicated Lambda compares
them and writes an immutable record to a separate Audit History Table.
Key Results & Metrics
Legacy System vs AWS Serverless Transformation
Data Ingestion
BEFORE (LEGACY)
Sequential (Slow)
AFTER (AWS SERVERLESS)
Parallel Fan-out (Instant)
Audit Compliance
BEFORE (LEGACY)
Manual/Unreliable
AFTER (AWS SERVERLESS)
100% Automated & Immutable
Data Rentention
BEFORE (LEGACY)
Manual Deletion
AFTER (AWS SERVERLESS)
Automated (Auto-expiry)
Operational Efficiency: The switch to AWS Graviton2 processors for the background
Lambda functions improved processing speed by ~20% while lowering costs. Additionally,
utilizing DynamoDB TTL (Time-to-Live) saved storage costs by automatically pruning raw debug logs after 90 days without writing custom scripts.
Lessons Learned
Streams for Compliance: Using DynamoDB Streams is superior to application-level
logging for audit trails. It guarantees that if the data changes in the DB, the log will be created, removing the risk of silent edits.
Least Privilege: Security automation tools (IAM Access Analyzer) were essential. We
learned that automated monitoring of permissions is required to maintain a secure posture when deploying frequent updates to serverless functions.
Let Discuss,Your Needs
For enquiries related to our services, media opportunities, or partnerships, please contact our team using the form below.
We are building solutions and talents that transcend the future. We have over 15 years of experience in ICT services industry.
Newsletter
Join our newsletter for exciting updates and deals.
© 2025 Marlocks Technologies