Amazon announced this week a feature which I’m sure many Cyber Security professionals have been waiting for a while — the ability to mirror the network traffic of a Virtual Private Cloud (VPC) and direct it towards a single network interface. This is something we’ve had the ability to do in on-premise environments for many years, and when combined with network monitoring tools, can be used to generate a security analyst’s favorite data source - Packet Capture.

Now that Amazon has enabled this feature, you can deploy sensors in your cloud environments to capture, analyse, and alert on suspicious network activity, not just at your gateways, but across your VPC (EDIT: Not entirely true. Amazon, you promised so much!). In an on-prem environment, this would typically require choke points in the security architecture to achieve the same level of monitoring.

There is one primary caveat — The hosts you are monitoring must be Nitro instances. What does this mean? Well essentially, you need to make sure you use a relatively new generation of EC2 instances. The hardware supporting these contains Amazon’s new Nitro card which contains among other things, NVMe storage and improved network connectivity. They’ve been around since 2017, and the full list of instance types is available on Amazon’s technical documentation. If you don’t have an instance that is Nitro enabled, you can upgrade your instances to these using the default AWS instance upgrade processes.