Importance of IDS/IPS on AWS
AWS’s shared responsibility model ensures that AWS protects the infrastructure that customers use to run their workloads. All AWS services are built with security as the top priority. Customers are still responsible for the security of their workloads within the cloud. This includes protecting their applications and data against malicious threats and intrusions, including but not limited to DDOS attacks, malware injection, and data breaches. (This post further introduces the concepts of Cloud IDS)
Intrusion detection and prevention systems are therefore an important part of any cloud security and compliance strategy. Some customers, especially in highly regulated industries, such as financial institutions or healthcare organizations, may be more sensitive to security threats and data breaches than others. It is important that customers have the appropriate level of protection in place to protect their data and applications.
IDD/IPS solutions and managed services on AWS provide comprehensive monitoring and mitigation capabilities, as well as real-time visibility into anomalies within an AWS environment, thereby improving the organization’s security posture.
AWS Services for IDS/IPS
Staying true to it’s philosophy, AWS offers many building blocks that its customers can use to build their own IDS/IPS solution based on their needs. In addition, many AWS partners, such as Trend Micro, Barracuda, Alert Logic offer their own IDS/IPS solutions through AWS marketplace.
This building block nature of AWS services has many advantages, but this also means that organizations with workloads on AWS need to carefully select and configure the security services they need to build an effective IDS/IPS solution.
The four AWS services that play a key role in building an IDS/IPS solution are – AWS Network Firewall, Amazon Guard Duty, AWS Web Application Firewall, and AWS Security Hub
AWS Network Firewall
AWS Network Firewall service allows for transparent monitoring, inspection and protection of network traffic at scale, both external as well as internal network traffic. AWS Network Firewall supports centralized as well as distributed deployment models and scales with your traffic.
AWS Network firewall is deployed as an endpoint similar to VPC endpoint with a big difference in that it can be used as a target in the VPC route table.
At this core, Network Firewall provides a routing and stateful inspection ability of ingress and egress subnet traffic.
You can use Network Firewall in conjunction with AWS Guard Duty to deploy a IPS solution that not just detects but also responds to threats in real-time.
Related Reading: AWS Network Firewall Interview Guide
Amazon GuardDuty is a managed threat detection service that continuously monitors your AWS account for malicious activities. Guard Duty surfaces potential security issues that can indicate a compromised workload, instance or credentials.
Guard Duty leverages several data sources from the target AWS account such as cloud trail events, logs generated by various services and workloads and analyzes them using continuously updated threat patterns and threat intelligence feeds. GuardDuty is a valuable service in building IDS/IPS on AWS since it provides continuous monitoring, threat detection, and automated response capabilities
AWS Web Application Firewall
AWS WAF is a web application firewall that helps protect your applications against threats and intrusions due to common web exploits. AWS WAF can protect AWS CloudFront, AWS Load Balancer, API Gateway and AWS AppSync from malicious ingress traffic.
WAF can be deployed with AWS managed rulesets or your custom rules to protect your web applications and endpoints.
AWS Security Hub
AWS Security Hub helps continuously aggregate security findings from different AWS services such as Guard Duty, Inspector and WAF. It provides a unified console view for customers to easily identify and investigate potential security issues across their entire environment.
How to implement IDS/IPS on AWS
Pattern 1: EC2 with Suricata on AWS
In this pattern, you deploy Suricata, an open-source IDS on an EC2 instance, and use VPC’s traffic mirroring feature to make for troubleshooting, content inspection, and threat monitoring via Suricata.
This AWS quickstart provides CloudFormation templates for reference deployments and walks through the architecture, planning, and configuration of this solution.
Related Reading: AWS VPC Best Practices Guide
Pattern 2: IDS & IPS Using AWS Network Firewall and Amazon GuardDuty
This blog post from AWS presents a pattern to leverage AWS Network Firewall and GuardDuty to rapidly detect and contain the impact of security events while allowing additional time for follow-up investigations and analysis.
In this pattern, the response steps to block ingress and egress traffic from/to the malicious source are coded as Step Function Lambdas and are invoked on GuardDuty’s detection of potential threats.
Pattern 3: Automated Security Response with AWS Security Hub
This add-on solution by AWS works with AWS Security Hub to help you quickly react to threats by configuring remediation actions based on your industry’s compliance standards or your requirements.
The solution comprises of four main workflows – detect, ingest, remediate, and log and leverages other AWS Services besides Security Hub such as CloudWatch, SSM, AWS Step Function, AWS Lambda and Amazon SNS.
AWS provides a wide range of security services that you can leverage to protect your AWS infrastructure and workloads from intrusions and attacks. IDS/IPS solutions on AWS can be deployed in many different ways depending on your requirements, industry compliance standards and the use case at hand. The best IDS/IPS on AWS really depends on your own security needs, environment and budget.