Pulls a real-time count from DynamoDB — every request submitted through this platform is stored and counted here.

Queries the AWS/Lambda namespace in CloudWatch using GetMetricData, aggregated hourly over the last 24 hours.

The bar chart shows real request volume hitting this platform's API Gateway, rendered directly from CloudWatch metrics.

Simulated cards. Fetching real VPC topology or GuardDuty scores at this scale would add cost without meaningful depth.

An engineer fills in the instance ID, purpose, duration, and permission level. Submitting writes directly to the DynamoDB AccessRequests table via Lambda.

ReadOnly allows Describe-only actions. PowerUser adds Start, Stop, and Reboot. Admin grants EC2:* — each maps to a different IAM Action set in the policy generator.

On approval, Lambda generates a Least Privilege JSON policy scoped to the exact instance ARN, the minimum required actions, and a Region condition. Nothing broader than necessary.

No inbound port 22 needed — the Security Group stays closed. Access is controlled purely by IAM, with no key pair to manage. Every session is automatically recorded in CloudTrail.

Calls ec2.startInstances() or ec2.stopInstances() against the real demo instance. The UI then polls describeInstances every 5 seconds, transitioning the state badge from pending → running in real time.

For each bucket, the platform calls GetPublicAccessBlock and GetBucketPolicy. You can immediately see which buckets are publicly accessible and which have a resource policy attached.

Lambda invocations and API Gateway request counts are rendered as bar charts using real GetMetricData responses — the same data the Dashboard cards use, just visualized over time.

VPC topology is simulated. Rendering real subnet and security group relationships requires additional read permissions and adds complexity without changing the Cloud Admin narrative.

Enter a list of Actions and a Resource ARN. Lambda returns a Least Privilege JSON policy instantly. This is a direct implementation of the Security Pillar of the AWS Well-Architected Framework.

The trail is active and shipping management events to S3 right now. The S3-trigger Lambda parser that writes events into DynamoDB is still in progress — once complete, every API call made on this platform will appear here.

Simulated findings with real Finding structure — UnauthorizedAccess, PortProbe, BucketBlockPublicAccessDisabled. GuardDuty is intentionally not enabled to avoid per-event cost.

A static checklist showing the current security posture: MFA, CloudTrail active, S3 blocked, no inbound SSH. Items marked incomplete are genuine gaps to address.

Queries CloudWatch Logs for REPORT entries from the platform's own Lambda function. Duration and memory usage for every invocation are parsed and displayed — the history grows as you use this demo.

Simulated patch baseline report for the demo EC2 instance. The SSM Agent is installed and the instance is enrolled — running a real patch scan would modify system state, so compliance data is shown as simulated.

LIVE / DEMO Transparency

Every data source is labelled. Green means a real AWS SDK call; blue means simulated. This boundary is a design decision, not a limitation — it keeps cost minimal while keeping the technically meaningful parts real.

Least Privilege Everywhere

The Lambda execution role has exactly the permissions it needs — no more. Generated IAM policies are scoped to a single instance ARN. Session Manager replaces SSH so no port ever opens.

Cost-Aware by Default

EC2 stays Stopped between demos — EBS-only billing. CloudTrail's first trail is free for management events. Everything else runs on Free Tier. Total monthly cost: ~$1.14.