reference deployment

Amazon EC2 with Suricata on AWS

Monitor network traffic for security threats

This Quick Start deploys Amazon Elastic Compute Cloud (Amazon EC2) instances with Suricata, an open-source tool for network security monitoring. The Quick Start is for security, DevSecOps, and network engineers who want to monitor EC2 instance network traffic using Suricata.

The Quick Start provides parameters for deploying Sucata on a single EC2 instance or on multiple instances in an Auto Scaling Group. After deployment, you can configure Amazon VPC Traffic Mirroring to copy traffic from the elastic network interfaces of EC2 instances and send the traffic for out-of-band security inspection to Suricata. This Quick Start deploys only Suricata, and does not configure Traffic Mirroring. 

AWS logo

This Quick Start was developed by AWS.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start deploys the following:

    • A highly available architecture that spans multiple Availability Zones.*
    • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to EC2 instances in public and private subnets.*
    • In the private subnets:
      • EC2 instances running open-source Suricata in an Auto Scaling group used for deploying across two Availability Zones, offering high availability.
      • A Network Load Balancer to balance traffic between the EC2 instances. 

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Amazon EC2 with Suricata, follow the instructions in the deployment guide. A standard deployment takes about 10 minutes and includes these steps:

    1. Sign in to your AWS account. If you don't have an account, sign up at https://aws.amazon.com.
    2. Launch the Quick Start. Before you create the stack, choose the AWS Region from the top toolbar. You can choose from two options:
    3. Perform post-deployment tasks. 

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    This Quick Start installs Suricata on an Amazon Linux 2 EC2 instance. The Suricata source code is licensed under version 2 of the GNU General Public License.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of the deployment. For cost estimates, see the pricing page for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?