Cross-Service Integrations
Simfra services interact with each other the same way they do in real AWS. These are not mocked or stubbed - when you publish to an SNS topic that has an SQS subscription, the message actually appears in the queue.
Messaging and Events
SNS Delivery
SNS delivers messages to subscribed endpoints at publish time:
| Target | Behavior |
|---|---|
| SQS | Message enqueued in the subscribed queue |
| Lambda | Function invoked with the SNS event payload |
| HTTP/HTTPS | Delivery captured in the message inbox |
| Captured in the message inbox | |
| SMS | Captured in the message inbox |
EventBridge Rules and Targets
EventBridge evaluates rules against events and invokes matched targets:
| Target | Behavior |
|---|---|
| Lambda | Function invoked with the event |
| SQS | Message sent to the queue |
| SNS | Message published to the topic |
| Step Functions | State machine execution started |
| Kinesis | Record put to the stream |
| ECS | Task run on the cluster |
| CloudWatch Logs | Event written to the log group |
| API Gateway | HTTP request sent to the API |
Resource state changes across services automatically emit EventBridge events (e.g., EC2 instance state changes, ECS task state changes, S3 object creation).
CloudWatch Alarms
When a metric alarm transitions to ALARM state, it invokes its configured actions:
| Action | Behavior |
|---|---|
| SNS | Notification published to the topic |
Services emit CloudWatch metrics automatically (SQS queue depths, Lambda invocations, EC2 CPU utilization, etc.), so alarms evaluate against real data.
Compute Triggers
Lambda Event Source Mappings
Lambda polls event sources and invokes functions with batches of records:
| Source | Behavior |
|---|---|
| SQS | Messages polled and delivered; successful messages deleted from queue |
| Kinesis | Records polled from shards; checkpoint tracking |
| DynamoDB Streams | Stream records polled and delivered |
The poller uses the function's execution role to authorize reads from the source.
EventBridge Scheduler
Scheduler invokes targets on cron or rate schedules:
| Target | Behavior |
|---|---|
| Lambda | Function invoked |
| SQS | Message sent |
| SNS | Message published |
| EventBridge | Event put to event bus |
| Kinesis | Record put to stream |
| Step Functions | Execution started |
| ECS | Task run |
EventBridge Pipes
Pipes connect a source to a target with optional filtering, enrichment, and transformation:
Sources: SQS, Kinesis, DynamoDB Streams
Enrichment: Lambda (records are sent to the function and the response is passed to the target)
Targets: Lambda, SQS, SNS, EventBridge, Kinesis, Step Functions, ECS, CloudWatch Logs, Firehose
Data Pipeline
Firehose Delivery Streams
Firehose buffers records and delivers them to S3:
- Direct put: Records sent via PutRecord/PutRecordBatch
- Kinesis source: Records consumed from a Kinesis stream
- Lambda transformation: Records can be transformed by a Lambda function before delivery
- S3 destination: Delivered as objects with configurable prefix and buffering
CloudTrail
CloudTrail records every API call and delivers trails to configured destinations:
| Destination | Behavior |
|---|---|
| S3 | Trail logs written as compressed JSON objects |
| CloudWatch Logs | Events forwarded to a log group |
S3 Event Notifications
S3 emits events for object creation, deletion, and other operations:
| Target | Behavior |
|---|---|
| EventBridge | Events sent to the default event bus |
Orchestration
Step Functions
State machines orchestrate calls to other services:
| Integration | Behavior |
|---|---|
| Lambda | Invoke functions (sync and async) |
| SQS | Send messages |
| SNS | Publish notifications |
| DynamoDB | GetItem, PutItem, DeleteItem, UpdateItem, Query |
| EventBridge | PutEvents |
| ECS | RunTask |
| Batch | SubmitJob |
Both Standard and Express workflow types are supported.
CodePipeline
CodePipeline orchestrates CI/CD workflows:
| Stage | Behavior |
|---|---|
| Source | Pull from CodeCommit or S3 |
| Build | Trigger CodeBuild project |
| Deploy | Trigger CodeDeploy deployment |
Config Rules
Config evaluates compliance rules by invoking Lambda functions:
| Integration | Behavior |
|---|---|
| Lambda | Custom rule evaluation function invoked with resource configuration |
| SNS | Configuration change notifications |
Secrets Manager Rotation
Secrets Manager invokes a Lambda function to rotate secrets on schedule.
Other Integrations
| Source | Target | Behavior |
|---|---|---|
| Cognito User Pools | Lambda | Triggers invoked during auth flows (PreSignUp, PostConfirmation, etc.) |
| CloudWatch Logs | Lambda | Subscription filter invokes function with log events |
| CloudWatch Logs | Kinesis | Subscription filter delivers to Kinesis stream |
| CloudWatch Logs | Firehose | Subscription filter delivers to Firehose |
| Glue Crawlers | S3 | Crawl S3 buckets to discover schemas |
| AppFlow | S3 | Flow runs read from and write to S3 |
| Bedrock Agents | Lambda | Action groups invoke Lambda functions |
| AppSync | Lambda/DynamoDB | Resolvers execute against data sources |
Authorization
All cross-service deliveries are authorized. The target service's resource policy is evaluated to verify the source is permitted. For role-based integrations (Scheduler, Step Functions, Firehose), the execution role's identity policies are checked.
Denied deliveries are handled per delivery mode:
- Synchronous (Lambda invoke, Step Functions): error returned to the caller.
- Asynchronous (SNS delivery, EventBridge targets): logged and skipped.
- Poller (Lambda ESM): paused with backoff retry.
See IAM Policy Enforcement for details on the authorization models.