AWS offers a traffic mirroring service to capture and inspect traffic within a VPC. It allows us to create a mirroring target, a filter, and a session to replicate traffic from a source to a target instance. This traffic is utilized for monitoring and security analysis.
In this Cloud Lab, you’ll explore the VPC Traffic Mirroring service. You’ll start by creating a VPC and capture traffic moving in and out of the VPC using VPC Flow Logs. Next, you’ll launch a source EC2 instance in the VPC with a simple Flask API. Additionally, you’ll launch a target EC2 instance with Suricata to monitor the mirrored traffic. Moving on, you’ll create a metric filter for accepted traffic to our EC2 instance and an alarm to detect unusually large traffic. This alarm will invoke a Lambda function containing code to automate the creation of traffic mirroring target, filter, and session. Finally, you’ll perform SQL injection attacks on the EC2 instance and trigger the CloudWatch alarm to invoke the Lambda function and launch the mirroring service. Finally, you’ll capture and monitor the mirrored traffic in the target instance and generate alerts for potential SQL injection attacks.
After completing this Cloud Lab, you can utilize the AWS Traffic Mirroring service to mirror the traffic of your EC2 instances and enhance their security and monitoring.
The following illustration shows the infrastructure you’ll build in this Cloud Lab:
