This tool automates the creation and maintenance of VPC Traffic Mirroring Sessions (Individual Network Taps) of Nitro based EC2 instances. Traffic Mirroring enables use of the network to audit the behavior of deployed EC2 instances, by sending a copy of all traffic to a network security product like Vectra Cognito Detect.
| Notice: Usage of this tool can lead to significant AWS charges from the network taps created or the NLB data transfer charges. No warranty or recourse are provided. |
|---|
What this tool solves:
- Automating the creation and removal of Traffic Mirroring Sessions on EC2 instances.
- 'healing' the intended state of Traffic Mirroring Sessions after EC2 instances are created or destroyed, when this tool is triggered or scheduled to automatically run.
The tool can selectively tap any VPCs in one AWS account, as well as tap each ENI (Elastic Network Interface) attached to an EC2.
Enrollment Mode: This setting is configured at the VPC level using the vpc_config tool. The default mode is Auto.
- Auto Enrollment (with blacklisting): All discovered running instances will be tapped, except for those which are blacklisted.
- Whitelist Enrollment: No instances are tapped, except those which are whitelisted. (Blacklist does not apply).
AWS VPC Traffic Mirroring Architecture
These configuration scripts (session_mirror_blacklist, session_mirror_whitelist, session_mirror_config_vpc) do the following:
- For each VPC that should be monitored, denote a Traffic Mirroring Target and an instance Enrollment Mode by applying AWS Tags to the VPC
- [Optional] Create an AWS NLB (network load balancer) to be the target of Mirroring Sessions
- For each EC2 that should be blacklisted from having a Mirroring Session, denote that by applying AWS Tags to the EC2 instance
- [Optional] When using whitelist Enrollment Mode, denote instances that should participate by applying AWS Tags to the EC2 instace
The runtime script (session_mirror_tap) does the following:
- Create Traffic Mirroring Filters suitable for use with Vectra Cognito Detect (copy all possible traffic including DNS)
- Discover all eligible instances (currently only Nitro based instances are supported) in each VPC, and their respective ENI's
- Create or remove Mirroring Sessions on each ENI according to VPC Configuration, blacklist, whitelists, and AWS instance state.
- Python 3.6+
- virtualenv
- AWS Credentials with appropriate permissions or install them with AWS CLI
- Clone this repo
git clone git@github.com:vectranetworks/AWS-Session-Mirroring-Tool.git-
Install AWS Credentials. Any method recognized by boto3 should work (~/.aws/credentials, Environment Variables)
-
Install the scripts
python setup.py install- Update the repo (or reclone)
git pull- Rebuild
python setup.py build- Reinstall
python setup.py installBefore Traffic Mirroring can take place, each VPC must have a Mirror Target configured. Any instances that should not participate (Vectra Sensor/Brain) should then be blacklisted. This is done by applying tags inside the AWS Account.
- Blacklist individual instances by instance id or comma separated list of instance ids:
session_mirror_blacklist (Interactive)- Configure the VPCs which should participate in Traffic Mirroring:
session_mirror_config_vpc (Interactive)After configuration is complete or updated, the 'session_mirror_tap' command should be run, as well as any time an EC2 is launched or removed in the account. This step performs the creation of the Traffic Mirroring Sessions, which will start sending traffic to the Mirror Target. If there isn't routable connectivity between the Mirror Session and the Mirror Target, no traffic will arrive at the target.
session_mirror_tap (Unattended)- Set up the Virtualenv
./venv.sh
source .venv/bin/activate- Run the config tools
python -m aws_network_tap.config_vpc
python -m aws_network_tap.blacklist- Run the tap
python -m aws_network_tap.tap