IDS/IPS on AWS: Key Services and Patterns

Importance of IDS/IPS on AWS

AWS’s shared responsibility model ensures that AWS protects the infrastructure that customers use to run their workloads. All AWS services are built with security as the top priority. Customers are still responsible for the security of their workloads within the cloud. This includes protecting their applications and data against malicious threats and intrusions, including but not limited to DDOS attacks, malware injection, and data breaches. (This post further introduces the concepts of Cloud IDS)

Intrusion detection and prevention systems are therefore an important part of any cloud security and compliance strategy. Some customers, especially in highly regulated industries, such as financial institutions or healthcare organizations, may be more sensitive to security threats and data breaches than others. It is important that customers have the appropriate level of protection in place to protect their data and applications.

IDD/IPS solutions and managed services on AWS provide comprehensive monitoring and mitigation capabilities, as well as real-time visibility into anomalies within an AWS environment, thereby improving the organization’s security posture.

AWS Services for IDS/IPS

Staying true to it’s philosophy, AWS offers many building blocks that its customers can use to build their own IDS/IPS solution based on their needs. In addition, many AWS partners, such as Trend Micro, Barracuda, Alert Logic offer their own IDS/IPS solutions through AWS marketplace.

This building block nature of AWS services has many advantages, but this also means that organizations with workloads on AWS need to carefully select and configure the security services they need to build an effective IDS/IPS solution.

The four AWS services that play a key role in building an IDS/IPS solution are – AWS Network Firewall, Amazon Guard Duty, AWS Web Application Firewall, and AWS Security Hub

AWS Network Firewall

AWS Network Firewall service allows for transparent monitoring, inspection and protection of network traffic at scale, both external as well as internal network traffic. AWS Network Firewall supports centralized as well as distributed deployment models and scales with your traffic.

AWS Network firewall is deployed as an endpoint similar to VPC endpoint with a big difference in that it can be used as a target in the VPC route table.

At this core, Network Firewall provides a routing and stateful inspection ability of ingress and egress subnet traffic.

You can use Network Firewall in conjunction with AWS Guard Duty to deploy a IPS solution that not just detects but also responds to threats in real-time.

Related Reading: AWS Network Firewall Interview Guide

Amazon GuardDuty

Amazon GuardDuty is a managed threat detection service that continuously monitors your AWS account for malicious activities. Guard Duty surfaces potential security issues that can indicate a compromised workload, instance or credentials.

Guard Duty leverages several data sources from the target AWS account such as cloud trail events, logs generated by various services and workloads and analyzes them using continuously updated threat patterns and threat intelligence feeds. GuardDuty is a valuable service in building IDS/IPS on AWS since it provides continuous monitoring, threat detection, and automated response capabilities

AWS Web Application Firewall

AWS WAF is a web application firewall that helps protect your applications against threats and intrusions due to common web exploits. AWS WAF can protect AWS CloudFront, AWS Load Balancer, API Gateway and AWS AppSync from malicious ingress traffic.

WAF can be deployed with AWS managed rulesets or your custom rules to protect your web applications and endpoints.

AWS Security Hub

AWS Security Hub helps continuously aggregate security findings from different AWS services such as Guard Duty, Inspector and WAF. It provides a unified console view for customers to easily identify and investigate potential security issues across their entire environment.

How to implement IDS/IPS on AWS

Pattern 1: EC2 with Suricata on AWS

In this pattern, you deploy Suricata, an open-source IDS on an EC2 instance, and use VPC’s traffic mirroring feature to make for troubleshooting, content inspection, and threat monitoring via Suricata.

Source: Amazon EC2 with Suricata on the AWS Cloud

This AWS quickstart provides CloudFormation templates for reference deployments and walks through the architecture, planning, and configuration of this solution.

Related Reading: AWS VPC Best Practices Guide

Pattern 2: IDS & IPS Using AWS Network Firewall and Amazon GuardDuty

This blog post from AWS presents a pattern to leverage AWS Network Firewall and GuardDuty to rapidly detect and contain the impact of security events while allowing additional time for follow-up investigations and analysis.

Image Source: Automated Security Response on AWS

In this pattern, the response steps to block ingress and egress traffic from/to the malicious source are coded as Step Function Lambdas and are invoked on GuardDuty’s detection of potential threats.

Pattern 3: Automated Security Response with AWS Security Hub

This add-on solution by AWS works with AWS Security Hub to help you quickly react to threats by configuring remediation actions based on your industry’s compliance standards or your requirements.

Image Source: Automated Security Response with AWS Security Hub.

The solution comprises of four main workflows – detect, ingest, remediate, and log and leverages other AWS Services besides Security Hub such as CloudWatch, SSM, AWS Step Function, AWS Lambda and Amazon SNS.


AWS provides a wide range of security services that you can leverage to protect your AWS infrastructure and workloads from intrusions and attacks. IDS/IPS solutions on AWS can be deployed in many different ways depending on your requirements, industry compliance standards and the use case at hand. The best IDS/IPS on AWS really depends on your own security needs, environment and budget.

Related Reading

Frequently Asked Questions for IDS/IPS on AWS

Is GuardDuty an IDS?

Yes, Amazon GuardDuty is a managed threat detection service that functions as an IDS by continuously monitoring for malicious activities in AWS accounts.

Does AWS provide IDS?

Yes, AWS offers services like AWS Network Firewall and Amazon GuardDuty, which can be used to create IDS solutions.

What is the difference between Amazon Inspector and GuardDuty?

Amazon Inspector focuses on assessing applications for vulnerabilities and deviations from best practices, while GuardDuty is a threat detection service that monitors for malicious or unauthorized activity.

Is AWS Network Firewall an IDS?

AWS Network Firewall can be configured to function as an IDS by providing transparent monitoring, inspection, and protection of network traffic.

Can AWS Security Hub be used for intrusion detection?

AWS Security Hub primarily aggregates security findings from various AWS services but can indirectly aid in intrusion detection by providing a unified view of potential security issues.

How does AWS Network Firewall help in intrusion prevention?

AWS Network Firewall supports stateful packet inspection and custom rules, enabling it to prevent intrusions by filtering malicious network traffic.

What is the role of AWS WAF in cloud security?

AWS Web Application Firewall (WAF) protects web applications from common web exploits and attacks, enhancing cloud security.

Can Amazon GuardDuty respond to threats automatically?

Yes, Amazon GuardDuty can automatically respond to detected threats, especially when integrated with other AWS services for automated remediation.

Is Suricata available on AWS for IDS?

Yes, Suricata, an open-source IDS, can be deployed on AWS EC2 instances and used with VPC traffic mirroring for intrusion detection.

How do AWS services integrate for a comprehensive IDS/IPS solution?

AWS services like Network Firewall, GuardDuty, WAF, and Security Hub can be integrated to create a comprehensive IDS/IPS solution, offering detection, prevention, and security management.