Security Engineer Guide

Security-focused monitoring patterns for certificate validation, firewall verification, and security posture monitoring.

SSL Certificate Monitoring

Expiry Monitoring

{
  "name": "ssl-expiry-example.com",
  "type": "ssl",
  "config": {
    "host": "example.com",
    "port": 443,
    "alert_days_before": 14
  },
  "regions": ["na-east-ewr"],
  "interval_seconds": 3600
}

Certificate Fingerprint Pinning

Alert if the certificate changes unexpectedly (potential MITM):

{
  "name": "ssl-fingerprint-example.com",
  "type": "ssl",
  "config": {
    "host": "example.com",
    "port": 443,
    "expected_fingerprint": "a1b2c3d4e5f6..."
  },
  "regions": ["na-east-ewr", "eu-central-fra", "ap-southeast-sin"],
  "interval_seconds": 300
}

Get your fingerprint: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -fingerprint -sha256 -noout

Firewall Validation with Inverted Checks

Alert when something that should be closed becomes open:

{
  "name": "db-port-not-public",
  "type": "tcp",
  "config": {
    "host": "db.example.com",
    "port": 5432
  },
  "inverted": true,
  "regions": ["na-east-ewr", "eu-central-fra", "ap-southeast-sin"],
  "interval_seconds": 300
}

This check succeeds when the port is closed and alerts when it opens.

Common Inverted Check Targets

  • Database ports (5432, 3306, 27017)
  • Redis (6379)
  • Internal admin panels
  • Debug endpoints
  • Development/staging environments

Multi-Region Security Posture

Check from multiple regions to detect CDN/proxy compromises:

{
  "name": "security-posture-check",
  "type": "https",
  "config": {
    "url": "https://example.com/admin",
    "expected_status": [401, 403]
  },
  "inverted": true,
  "regions": ["na-east-ewr", "eu-central-fra", "ap-southeast-sin", "sa-east-sao"],
  "simultaneous_regions": true,
  "interval_seconds": 300
}

Alerts if the admin panel becomes accessible from any region.

DNS Change Detection

DNS checks detect when records change, which can indicate hijacking:

{
  "name": "dns-a-record-monitor",
  "type": "dns",
  "config": {
    "domain": "example.com",
    "record_type": "A"
  },
  "regions": ["na-east-ewr"],
  "interval_seconds": 300
}

Results include records_added and records_removed metadata for alerting.

Alert Severity for Security

ConditionSeverityResponse
Certificate fingerprint changedCRITICALInvestigate immediately
Port opened unexpectedlyCRITICALPossible breach
DNS records changedHIGHVerify authorized change
SSL expiring <7 daysHIGHRenew immediately
Admin panel accessibleCRITICALCheck firewall rules
← DevOps & SRE Next: Founder & Indie Hacker →