VPC Traffic Mirroring in Use

Risk Level: Medium (should be achieved)

Ensure that the VPC Traffic Mirroring feature is enabled and configured for your Amazon Virtual Private Cloud (VPC) networks in order to gain insight into your VPC traffic, and enable the ability to perform network and security analytics.

Security

Performance
efficiency

When working with production and business-critical workloads, you may need to keep an ever-watchful eye out for unusual traffic patterns or content that could indicate a network intrusion, a compromised EC2 instance, or some other anomaly. VPC Traffic Mirroring is a new AWS cloud feature that you or your security teams can use with existing Virtual Private Clouds (VPCs) to capture and inspect network traffic at scale. The monitoring feature will allow you to:

Detect network and security anomalies – this enables you to extract traffic of interest from any workload within a VPC network and route it to the detection tools of your choice. You can detect and respond to network-based attacks more quickly than is possible with traditional log-based tools.
Gain operational insights – allows you to use VPC Traffic Mirroring feature to get the level of visibility and control that will let you make better decisions when it comes to your network security.
Implement compliance and security controls – this helps you meet regulatory and compliance requirements that mandate monitoring, logging, and so on.
Troubleshoot issues – allows you to mirror application traffic internally for testing and troubleshooting. This is useful for analyzing traffic patterns and proactively locate the bottlenecks that can impair the performance of your cloud applications.

Note: As an example, this conformity rule demonstrates how to identify, create, and configure VPC Traffic Mirroring resources associated with Elastic Network Interfaces (ENIs).

Audit

To determine if VPC Traffic Mirroring is used for your Amazon VPC networks, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under TRAFFIC MIRRORING, choose Mirror sessions to access your VPC traffic mirror sessions. A traffic mirror session establishes a relationship between a traffic mirror source and a traffic mirror target and sends mirrored packets from the source to the target so that you can monitor and analyze that traffic for security and performance purposes.

05 In the Traffic mirror sessions section, search for any mirror sessions created for the selected VPC network, within the current AWS region. If there are no traffic mirror sessions available in the Traffic mirror sessions section, instead the following message is displayed: "No traffic mirror sessions found. You do not have any traffic mirror sessions in this region.", the VPC Traffic Mirroring feature is not enabled for the selected Amazon VPC network.

06 Repeat steps no. 3 – 5 for each VPC network available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) to list the IDs of all the Amazon VPC networks available in the selected AWS region:

aws ec2 describe-vpcs
  --region us-east-1
  --output table
  --query 'Vpcs[*].VpcId'

02 The command output should return the requested VPC identifiers (IDs):

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-abcdabcd  |
|  vpc-abcd1234  |
|  vpc-1234abcd  |
+----------------+

03 Run describe-network-interfaces command (OSX/Linux/UNIX) using the ID of the VPC network that you want to examine as the identifier parameter and custom query filtering to describe the ID of each Elastic Network Interface (ENI) provisioned within the selected VPC:

aws ec2 describe-network-interfaces
  --region us-east-1
  --filters Name=vpc-id,Values=vpc-abcdabcd
  --query 'NetworkInterfaces[*].NetworkInterfaceId'

04 The command output should return the requested ENI identifiers:

[
	"eni-0abcd1234abcd1234",
	"eni-01234abcd1234abcd"
]

05 Run describe-traffic-mirror-sessions command (OSX/Linux/UNIX) using the ID of the Elastic Network Interface (ENI) that you want to examine as the identifier parameter and custom query filters to describe the configuration metadata available for the VPC traffic mirror session created for the selected network interface. A traffic mirror session is a connection between a traffic mirror source and a traffic mirror target that makes use of a filter in order to allow you to monitor and analyze your network traffic for security and performance purposes:

aws ec2 describe-traffic-mirror-sessions
  --region us-east-1
  --filters Name=network-interface-id,Values=eni-0abcd1234abcd1234
  --query 'TrafficMirrorSessions'

06 The command output should return the requested configuration information:

[]

If the describe-traffic-mirror-sessions command output returns an empty array (i.e. []), as shown in the example above, there are no traffic mirror sessions available, therefore the VPC Traffic Mirroring feature is not enabled for the selected VPC network.

07 Repeat steps no. 5 and 6 to check the feature status for other network interfaces created within the selected Virtual Private Cloud (VPC). If no traffic mirror sessions are found, the VPC Traffic Mirroring feature is not enabled for the selected Amazon VPC network.

08 Repeat steps no. 3 – 7 for each VPC network available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable and configure the VPC Traffic Mirroring feature for your Amazon Virtual Private Cloud (VPC) networks, perform the following actions:

Note: Make sure that the following conditions are met before you configure VPC Traffic Mirroring:

The traffic mirror source and target are either in the same VPC, or in different VPCs connected via VPC peering or a Transit Gateway.

The traffic mirror target instance allows traffic to UDP port 4789.

The traffic mirror source has a route table entry for the traffic mirror target.

There are no security group rules or network ACLs on the traffic mirror target that drop the mirrored traffic from the traffic mirror source.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"VPCNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"TrafficMirrorTarget": {
			"Type": "AWS::EC2::TrafficMirrorTarget",
			"Properties": {
				"NetworkInterfaceId": "eni-0abcd1234abcd1234"
			}
		},
		"TrafficMirrorFilter": {
			"Type": "AWS::EC2::TrafficMirrorFilter",
			"Properties": {
				"Description": "TCP Traffic Filter"
			}
		},
		"TrafficMirrorFilterRule": {
			"Type": "AWS::EC2::TrafficMirrorFilterRule",
			"Properties": {
				"RuleNumber": 1,
				"RuleAction": "accept",
				"SourceCidrBlock": "0.0.0.0/0",
				"DestinationCidrBlock": "0.0.0.0/0",
				"TrafficDirection": "ingress",
				"TrafficMirrorFilterId": {
					"Ref": "TrafficMirrorFilter"
				}
			}
		},
		"TrafficMirrorSession": {
			"Type": "AWS::EC2::TrafficMirrorSession",
			"Properties": {
				"NetworkInterfaceId": "eni-0abcd1234abcd1234",
				"TrafficMirrorTargetId": {
					"Ref": "TrafficMirrorTarget"
				},
				"TrafficMirrorFilterId": {
					"Ref": "TrafficMirrorFilter"
				},
				"SessionNumber": 1,
				"PacketLength": 25
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	VPCNetwork:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 10.0.0.0/16
	TrafficMirrorTarget:
		Type: AWS::EC2::TrafficMirrorTarget
		Properties:
		NetworkInterfaceId: eni-0abcd1234abcd1234
	TrafficMirrorFilter:
		Type: AWS::EC2::TrafficMirrorFilter
		Properties:
		Description: TCP Traffic Filter
	TrafficMirrorFilterRule:
		Type: AWS::EC2::TrafficMirrorFilterRule
		Properties:
		RuleNumber: 1
		RuleAction: accept
		SourceCidrBlock: '0.0.0.0/0'
		DestinationCidrBlock: '0.0.0.0/0'
		TrafficDirection: ingress
		TrafficMirrorFilterId: !Ref 'TrafficMirrorFilter'
	TrafficMirrorSession:
		Type: AWS::EC2::TrafficMirrorSession
		Properties:
		NetworkInterfaceId: eni-0abcd1234abcd1234
		TrafficMirrorTargetId: !Ref 'TrafficMirrorTarget'
		TrafficMirrorFilterId: !Ref 'TrafficMirrorFilter'
		SessionNumber: 1
		PacketLength: 25

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block = "10.0.0.0/16"
}

resource "aws_security_group" "security-group" {
	name        = "allow-tcp-traffic"
	vpc_id      = "vpc-0123456789abcdef0"
	ingress {
	from_port        = 0
	to_port          = 0
	protocol         = "tcp"
	cidr_blocks      = ["0.0.0.0/0"]
	}
	egress {
	from_port        = 0
	to_port          = 0
	protocol         = "-1"
	cidr_blocks      = ["0.0.0.0/0"]
	}
}

resource "aws_traffic_mirror_target" "traffic-mirror-target"" {
	network_interface_id = "eni-0abcd1234abcd1234"
}

resource "aws_traffic_mirror_filter" "traffic-mirror-filter" {
	description = "TCP Traffic Filter"
}

resource "aws_traffic_mirror_filter_rule" "traffic-filter-inbound-rule" {
	traffic_mirror_filter_id = aws_traffic_mirror_filter.traffic-mirror-filter.id
	source_cidr_block        = "0.0.0.0/0"
	destination_cidr_block   = "0.0.0.0/0"
	rule_number              = 1 
	rule_action              = "accept"
	traffic_direction        = "ingress"
	protocol                 = 6
	destination_port_range {
	from_port = 1 
	to_port   = 65535
	}
	source_port_range {
	from_port = 1 
	to_port   = 65535
	}
}

resource "aws_traffic_mirror_session" "traffic-mirror-session" {
	traffic_mirror_filter_id = aws_traffic_mirror_filter.traffic-mirror-filter.id
	traffic_mirror_target_id = aws_traffic_mirror_target.traffic-mirror-target.id
	network_interface_id     = "eni-0abcd1234abcd1234"
	session_number           = 1 
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to reconfigure from the Select a VPC dropdown menu.

04 In the navigation panel, under TRAFFIC MIRRORING, choose Mirror Targets to create the traffic mirror target required. A VPC traffic mirror target is a destination for the mirrored traffic and it can be an Elastic Network Interface (ENI) or a Network Load Balancer (NLB) that serves as a destination for the mirrored traffic.

05 Choose Create traffic mirror target to initiate the VPC traffic mirror target setup process.

06 On the Create traffic mirror target setup page, perform the following operations:

(Optional) For Name tag – optional, provide a unique name for the new traffic mirror target.
(Optional) For Description – optional, enter a short description for the traffic mirror target.
Choose the traffic mirror target type from the Target type dropdown menu. The target type must be either an Elastic Network Interface (ENI) or a Network Load Balancer (NLB).
Choose the traffic mirror target resource from the Target dropdown list.
(Optional) For Tags – optional, choose Add new tag to create one or more tag sets for your VPC resource. You can use tags to search and filter your resources or track your AWS costs.
Choose Create to deploy your new VPC traffic mirror target.

07 In the navigation panel, under TRAFFIC MIRRORING, choose Mirror Filters to create a new traffic mirror filter. A VPC traffic mirror filter represents a specification of the inbound or outbound traffic that is to be captured (accepted) or skipped (rejected). The traffic mirror filter can specify a protocol, ranges for the source and destination ports, and CIDR blocks for the source and destination. Rules are numbered, and processed in order within the scope of a particular VPC Mirror session

08 Choose Create traffic mirror filter to initiate the VPC traffic mirror filter setup.

09 On the Create traffic mirror filter setup page, perform the following actions:

(Optional) For Name tag – optional, provide a unique name for the traffic mirror filter.
(Optional) For Description – optional, enter a short description for the traffic mirror filter.
(Optional) For Network services – optional, select amazon-dns to mirror Amazon DNS traffic.
In the Inbound rules – optional configuration section, choose Add rule, and specify the following information about the traffic mirror source inbound traffic. A traffic mirror source is an AWS network resource that exists within the specified VPC, that can be used as the source of traffic. VPC Traffic Mirroring feature supports the use of Elastic Network Interfaces (ENIs) as mirror sources:
- For Number, enter a priority number to assign to the inbound rule.
- For Rule action, choose the action to take for the packet (accept or reject).
- From the Protocol dropdown list, choose the Layer 4 (L4) protocol to assign to the inbound rule.
- (Optional) Enter the source port range in the Source port range – optional box.
- (Optional) Enter the destination port range in the Destination port range – optional box.
- In the Source CIDR block box, enter a source CIDR block.
- In the Destination CIDR block box, provide a destination CIDR block.
- (Optional) Provide a short description for the new rule in the Description box.
- Repeat the previous steps for each inbound rule that you want to add.
In the Outbound rules – optional configuration section, choose Add rule, and specify the following information about the traffic mirror source outbound traffic:
- For Number, enter a priority number to assign to the outbound rule.
- For Rule action, choose the action to take for the traffic packet.
- From the Protocol dropdown list, choose the L4 protocol to assign to the outbound rule.
- (Optional) Enter the source port range in the Source port range – optional box.
- (Optional) Enter the destination port range in the Destination port range – optional box.
- In the Source CIDR block box, enter a source CIDR block.
- In the Destination CIDR block box, provide a destination CIDR block.
- (Optional) Provide a short description for the new rule in the Description box.
- Repeat the previous steps for each outbound rule that you want to add to your filter.
(Optional) If required, create one or more tag sets using the Add new tag button available in the Tags – optional section.
Choose Create to create your VPC traffic mirror filter. Click Close to return to the Amazon VPC console.

10 In the navigation panel, under TRAFFIC MIRRORING, choose Mirror Sessions to create a new traffic mirror session. A VPC traffic mirror session is a connection between a mirror source and target that makes use of a filter. Sessions are numbered, evaluated in order, and the first match (accept or reject) is used to determine the fate of the packet.

11 Choose Create traffic mirror session to initiate the VPC traffic mirror session setup.

12 On the Create traffic mirror session setup page, perform the following operations:

(Optional) For Name tag – optional, provide a unique name for the traffic mirror session.
(Optional) For Description – optional, give a short description for the traffic mirror session.
For Mirror source, choose the Elastic Network Interface (ENI) of the EC2 instance that you want to monitor.
For Mirror target, choose the traffic mirror target created at step no. 6.
In the Additional settings section, provide the following information:
- Enter the session number in the Session number box. The session number determines the order that traffic mirror sessions are evaluated when an interface is used by multiple sessions and when an interface is used by different traffic mirror targets and traffic mirror filters. The traffic is only mirrored one time. Use 1 for the highest priority.
- (Optional) In the VNI – optional configuration box, provide the unique VXLAN network identifier that is included in the encapsulated mirrored packet that is sent to the target. A random unique VNI will be chosen unless specified.
- (Optional) For Packet Length – optional, enter the number of bytes in each packet to mirror. To mirror the entire traffic packet, do not enter a value in the Packet Length box.
- For Filter, choose the traffic mirror filter that determines what traffic gets mirrored, created at step no. 9.
(Optional) Create one or more tag sets using the Add new tag button available in the Tags – optional section. You can use tags to search and filter your resources or track your AWS cloud costs.
Choose Create to deploy your VPC traffic mirror session.

13 Once your traffic mirror session is created, the VPC traffic from your mirror source that matches the filter defined at step no. 9 is encapsulated as specified in RFC 7348 and delivered to your mirror target. Now you can use your preferred network monitoring tools to capture, analyze, and visualize it.

14 Repeat steps no. 3 – 13 to enable and configure VPC traffic mirroring for each VPC network available within the current AWS region.

15 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-traffic-mirror-target command (OSX/Linux/UNIX) to create the required traffic mirror target. A VPC traffic mirror target is a destination for the mirrored traffic. This can be an Elastic Network Interface (ENI) or a Network Load Balancer (NLB). The following command request example, creates a traffic mirror target resource named "cc-project5-traffic-mirror-target", that is associated with an AWS Elastic Network Interface identified by the ID "eni-0abcd1234abcd1234":

aws ec2 create-traffic-mirror-target
  --region us-east-1
  --description "Elastic Network Interface Target"
  --network-interface-id eni-0abcd1234abcd1234
  --tag-specifications ResourceType=traffic-mirror-target,Tags=["{Key='Name',Value='cc-project5-traffic-mirror-target'}"]

02 The command output should return the metadata available for the new traffic mirror target resource:

{
	"TrafficMirrorTarget": {
		"Description": "Elastic Network Interface Target",
		"Tags": [
			{
				"Value": "cc-project5-traffic-mirror-target",
				"Key": "Name"
			}
		],
		"NetworkInterfaceId": "eni-0abcd1234abcd1234",
		"TrafficMirrorTargetId": "tmt-0abcdabcdabcdabcd",
		"OwnerId": "123456789012",
		"Type": "network-interface"
	},
	"ClientToken": "12341234-abcd-1234-abcd-1234abcd1234"
}

03 Run create-traffic-mirror-filter command (OSX/Linux/UNIX) to create a new VPC traffic mirror filter. A traffic mirror filter is a set of rules that defines the traffic to mirror. A traffic mirror filter contains one or more traffic mirror rules and a set of AWS network services. The filters and their rules define the traffic that is mirrored:

aws ec2 create-traffic-mirror-filter
  --region us-east-1
  --description "TCP Traffic Filter"
  --tag-specifications ResourceType=traffic-mirror-filter,Tags=["{Key='Name',Value='cc-project5-traffic-mirror-filter'}"]

04 The command output should return the metadata available for the newly created traffic mirror filter:

{
	"TrafficMirrorFilter": {
		"Description": "TCP Traffic Filter",
		"Tags": [
			{
				"Value": "cc-project5-traffic-mirror-filter",
				"Key": "Name"
			}
		],
		"EgressFilterRules": [],
		"NetworkServices": [],
		"TrafficMirrorFilterId": "tmf-0abcdabcdabcdabcd",
		"IngressFilterRules": []
	},
	"ClientToken": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

05 Run create-traffic-mirror-filter-rule command (OSX/Linux/UNIX) to create a traffic mirror filter rule. A VPC traffic mirror filter rule defines the traffic mirror source traffic to mirror. Use the --traffic-mirror-filter-id to reference the traffic mirror filter to configure. The following command example creates a filter rule that can be used to mirror all incoming TCP traffic. Repeat this step to create as many traffic filter rules as needed:

aws ec2 create-traffic-mirror-filter-rule
  --region us-east-1
  --description "TCP Filter Rule"
  --destination-cidr-block 0.0.0.0/0
  --protocol 6
  --rule-action accept
  --rule-number 1
  --source-cidr-block 0.0.0.0/0
  --traffic-direction ingress
  --traffic-mirror-filter-id tmf-0abcdabcdabcdabcd

06 The command output should return the metadata available for the new traffic mirror filter rule:

{
	"TrafficMirrorFilterRule": {
		"DestinationCidrBlock": "0.0.0.0/0",
		"RuleNumber": 1,
		"Protocol": 6,
		"Description": "TCP Filter Rule",
		"TrafficMirrorFilterRuleId": "tmfr-01234abcd1234abcd",
		"TrafficDirection": "ingress",
		"RuleAction": "accept",
		"SourceCidrBlock": "0.0.0.0/0",
		"TrafficMirrorFilterId": "tmf-0abcdabcdabcdabcd"
	},
	"ClientToken": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

07 Run create-traffic-mirror-session command (OSX/Linux/UNIX) to create a new traffic mirror session that you can use to monitor and analyze your network traffic. A VPC traffic mirror session actively copies packets from a traffic mirror source to a traffic mirror target. The following command example creates a VPC traffic mirror session for a traffic mirror source (network interface) identified by the ID "eni-0abcd1234abcd1234" and a traffic mirror target, created at the previous steps, identified by the ID "tmt-0abcdabcdabcdabcd", using a traffic mirror filter with the ID "tmf-0abcdabcdabcdabcd", for 25 bytes of the packet:

aws ec2 create-traffic-mirror-session
  --region us-east-1
  --description "Project5 Traffic Session"
  --traffic-mirror-target-id tmt-0abcdabcdabcdabcd
  --network-interface-id eni-0abcd1234abcd1234
  --session-number 1
  --packet-length 25
  --traffic-mirror-filter-id tmf-0abcdabcdabcdabcd
  --tag-specifications ResourceType=traffic-mirror-session,Tags=["{Key='Name',Value='cc-project5-traffic-mirror-session'}"]

08 The command output should return the configuration metadata available for the newly created traffic mirror session:

{
	"TrafficMirrorSession": {
		"PacketLength": 25,
		"Description": "Project5 Traffic Session",
		"Tags": [
			{
				"Value": "cc-project5-traffic-mirror-session",
				"Key": "Name"
			}
		],
		"NetworkInterfaceId": "eni-0abcd1234abcd1234",
		"TrafficMirrorTargetId": "tmt-0abcdabcdabcdabcd",
		"SessionNumber": 1,
		"OwnerId": "123456789012",
		"TrafficMirrorFilterId": "tmf-0abcdabcdabcdabcd",
		"TrafficMirrorSessionId": "tms-01234abcd1234abcd",
		"VirtualNetworkId": 12345678
	},
	"ClientToken": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

09 Once the traffic mirror session is created, the VPC traffic from your mirror source that matches the filter defined at step no. 5 is encapsulated as specified in RFC 7348 and delivered to your mirror target. Now you can use your preferred network monitoring tools to capture, analyze, and visualize your VPC traffic.

10 Repeat steps no. 1 – 9 to enable and configure VPC traffic mirroring for each VPC network available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-vpcs
describe-network-interfaces
describe-traffic-mirror-sessions
create-traffic-mirror-target
create-traffic-mirror-filter
create-traffic-mirror-filter-rule
create-traffic-mirror-session

Publication date Sep 10, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

VPC Traffic Mirroring in Use

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related VPC rules