Prerequisites¶
- All steps in "Prepare Lambda Environment".
Network topology¶
Overview¶
This guide creates the public-threat-intelligence-feed-parser AWS Lambda function:
This function works by loading a selected feed module (RSS or other HTTP-based sources). Building a JSON document (panel metadata + payload) suitable for downstream processing. Writes that document to S3 using a date-partitioned key: {optional_prefix/}{YYYY-MM-DD}/{feed_type}.json.
This function must reach the public internet (feed URLs) and Amazon S3.
For the lab, run it without a VPC (default Lambda networking). If you later attach a VPC, you need a NAT gateway or VPC endpoints so outbound internet and S3 still work; that is outside the minimal path described here.
Exercise code
Download the Python sources (and any packaged .zip file there) from the exercise repository:
public-threat-intelligence-feed-parser on GitHub
Use those files as the deployment package for this function (see Step 5).
Step 1: Create the Lambda function¶
- Open the Lambda console ➔ Create function.
- Choose Author from scratch.
- Configure:
- Function name:
public-threat-intelligence-feed-parser - Runtime: Python 3.12
- Architecture: x86_64
- Execution role: Use an existing role ➔
projectx-lambda-feed-exec-role - Choose Create function.
Step 2: General configuration¶
Under Configuration ➔ General configuration ➔ Edit:
- Description:
Fetches public threat intel feeds and writes JSON snapshots to S3. - Timeout: 1 minute. (this is good for what we are doing).
- Memory: 256 MB (may need to adjust to higher if you see timeout errors).
Save.
Step 3: Environment variables¶
Under Configuration ➔ Environment variables ➔ Edit, set at least:
| Variable | Required | Description |
|---|---|---|
FEED_OUTPUT_BUCKET |
Yes | S3 bucket name for JSON output (alias: S3_BUCKET is also accepted by the code). |
S3_KEY_PREFIX |
No | Optional key prefix; keys become {prefix}/{date}/{feed_type}.json. |
PANEL_KEY |
No | Default panel when the event does not specify one (see handler). |
Example:
Save.
Step 4: Deployment package (.zip)¶
-
Download the Python files from public-threat-intelligence-feed-parser on GitHub (for example
lambda_handler.py,rss_feed.py, and eachtop_*_feed.py). -
The repository will include
public-lambda-deployment.zipin the parentthreat_intelligence_lambda_functionsdirectory with those modules at the zip root. Upload the zip file here. -
To build locally (Unix-style shell), from the directory that contains
lambda_handler.py: -
In Lambda Code ➔ Upload from ➔ .zip file, upload the zip.
Step 5: Attach the Lambda layer¶
Under Code ➔ Layers ➔ Add a layer:
- Choose Custom ➔
threat-intel-lambda-layer - Compatible runtime must include Python 3.12.
Step 6: Test event¶
Under Test ➔ Create new event, name the event testprobe, use a JSON body that selects a feed:
👉 The panel_key values match the feed modules in the repository: security_news_rss, top_100_domains, top_ips, top_10_countries_by_ip, top_malware_hashes, top_iocs.
Right now, the only panel_key that will work is "security_news_rss", since the logic inside its python file has been developed.
Run Test. A successful invocation returns HTTP 200 in the function result and writes an object such as:
s3://YOUR_BUCKET/mm/dd/yyyy/security_news_rss.json
(Exact date folder is the current UTC day.)
👉 Check CloudWatch Logs for the log group /aws/lambda/public-threat-intelligence-feed-parser if anything fails.
We Are Ready For Next Steps¶
In WA101, we will schedule invocations (Amazon EventBridge) with different panel_key values per rule or payload on a daily basis.
Next, we can add a second Lambda triggered by S3 to read these JSON objects and load dashboard.panel_feed in PostgreSQL, this is where the data will be populated in our threat intelligence feed dashboard. , using least-privilege IAM and VPC design consistent with your security goals.