Summary
The repository now has the main building blocks for a complete threat intelligence workflow, but they still live across separate PR tracks.
This issue tracks the integration work needed to connect:
into one validated end-to-end system.
Problem
The honeypot deployment and telemetry pipeline currently exist as separate lines of work. Even though both parts are implemented, they are not fully wired together as a single operational workflow.
That means the project needs a clean integration path so deployed honeypots automatically feed centralized analytics and threat enrichment.
Goal
Connect the full pipeline:
Cowrie -> Fluent Bit -> raw S3 -> Lambda enrichment -> enriched S3 -> Glue -> Athena
Scope
- modularize honeypot provisioning in Terraform
- wire root Terraform to provision both honeypots and telemetry together
- attach IAM instance profiles so honeypot nodes can upload logs to S3
- configure Cowrie to emit JSON logs reliably
- configure Fluent Bit to forward logs into the raw S3 sink
- ensure Lambda enrichment handles uploaded Fluent Bit objects correctly
- ensure S3 notifications trigger Lambda for raw uploaded logs
- validate enriched output in S3
- validate Athena queryability after Glue crawling
Acceptance Criteria
- honeypots deploy successfully across configured regions
- Cowrie events are generated on port
2222
- raw honeypot logs are uploaded to the S3 sink bucket
- Lambda enriches logs with fields such as
abuse_score and country_code
- enriched logs are written to the enriched S3 bucket
- Glue crawler discovers schema successfully
- Athena queries return enriched telemetry records
Notes
This is an integration issue, not a replacement of prior work. It builds directly on top of the deployment foundation from PR #5 and PR #7 and the telemetry architecture introduced in PR #35.
Summary
The repository now has the main building blocks for a complete threat intelligence workflow, but they still live across separate PR tracks.
This issue tracks the integration work needed to connect:
into one validated end-to-end system.
Problem
The honeypot deployment and telemetry pipeline currently exist as separate lines of work. Even though both parts are implemented, they are not fully wired together as a single operational workflow.
That means the project needs a clean integration path so deployed honeypots automatically feed centralized analytics and threat enrichment.
Goal
Connect the full pipeline:
Cowrie -> Fluent Bit -> raw S3 -> Lambda enrichment -> enriched S3 -> Glue -> Athena
Scope
Acceptance Criteria
2222abuse_scoreandcountry_codeNotes
This is an integration issue, not a replacement of prior work. It builds directly on top of the deployment foundation from PR #5 and PR #7 and the telemetry architecture introduced in PR #35.