Network intrusion detection
Use of intrusion-detection and/or intrusion-prevention techniques may be used to detect and/or prevent intrusions into the network. It is prudent to monitor of all traffic at the perimeter and critical points of the CDE. With most on-premises environments, this can typically be achieved by using Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) appliances. A similar approach can be used within AWS.
When considering containerized environments, inspection of network traffic can be done at the network layer outside of the container host and within the container management software’s virtual container network.
There
are several options that can be considered for inspection of
network data outside of the container host on AWS.
Amazon GuardDuty
When considering a traditional IDS/IPS solution, Amazon VPC Traffic Mirroring can be configured to route a copy of all network communications to a virtual appliance running on one or more Amazon EC2 instances.
Another
common solution is to use a transit network architecture that uses
IP routing to ensure that all network traffic crosses a single
network. This architecture allows you to use a virtual IDS/IPS
device from the
AWS Marketplace
Inspection of inter-container communications on the virtual container network is another viable option. There are vendors within the AWS Marketplace that provide IDS container solutions, which mostly use a side container to monitor and alert on unusual traffic patterns. Agent based solutions are also available that use machine learning to detect anomalous communication patterns among the containers.
The security measures put into place will depend heavily on the architecture of the environment. Traffic detection at the network layer will necessitate advanced planning of container deployments and traffic patterns.