AWSTemplateFormatVersion: "2010-09-09" Description: >- VPC Traffic Mirroring target template. Template creates Amazon Linux 2 EC2 instance(s) with Suricata installed on it. Instances are launched in auto scaling group. If traffic mirror target type is set to NLB, template also creates NLB, target group and listener and associates auto scaling group with the target group. Template can also be launched as a stand alone template (qs-1s0om7h6b). Metadata: QuickStartDocumentation: EntrypointName: "Parameters for deploying into an existing VPC" Order: 2 LintSpellExclude: - Linux - Amazon - VPC - Traffic Mirroring - Network Load Balancer - CIDR - DMZ - GB - Region - S3 - AmazonS3 - QSS3BucketName - Quick Start - SSH - customizing - ID - VPCID - vpc - EC2 - ARN - Subnet - Suricata - NLB - ENI - c5n.large - TrafficMirrorTargetType AWS::CloudFormation::Interface: ParameterGroups: - Label: default: 'Traffic Mirroring target instance configuration' Parameters: - VPCID - VPCCIDR - Subnet1ID - Subnet2ID - NumTargetEC2Instances - TargetEC2InstanceType - TargetEC2InstanceRootVolumeSize - KeyPairName - BastionSecurityGroupID - TrafficMirrorTargetType - LatestAmazonLinux2AmiId ParameterLabels: VPCCIDR: default: VPC CIDR block VPCID: default: VPC ID Subnet1ID: default: Subnet 1 ID Subnet2ID: default: Subnet 2 ID NumTargetEC2Instances: default: The number of target instances to create. The maximum number is four. TargetEC2InstanceType: default: Target EC2 instance type TargetEC2InstanceRootVolumeSize: default: Target EC2 instance size in GB KeyPairName: default: Key pair required for accessing target EC2 instance BastionSecurityGroupID: default: Bastion security group ID TrafficMirrorTargetType: default: Traffic mirror target type LatestAmazonLinux2AmiId: default: Amazon Linux 2 AMI ID cfn-lint: { config: { ignore_checks: [W9901] } } Parameters: VPCCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" Default: 10.0.0.0/24 Description: CIDR block for the VPC. Type: String ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. VPCID: Description: ID of the VPC (for example, vpc-0343606e). Type: AWS::EC2::VPC::Id ConstraintDescription: Must be a valid VPC ID. Subnet1ID: Description: ID of Subnet 1 to be associated (for example, subnet-11223344, subnet-55667788). Type: AWS::EC2::Subnet::Id ConstraintDescription: Must be a valid subnet ID. Subnet2ID: Description: ID of Subnet 2 to be associated (for example, subnet-11223344, subnet-55667788). Type: AWS::EC2::Subnet::Id ConstraintDescription: Must be a valid subnet ID. NumTargetEC2Instances: AllowedValues: - '1' - '2' - '3' - '4' Default: '2' Description: The number of targets to create. The maximum number is four. Type: String TargetEC2InstanceType: Description: Select EC2 instance type for Suricata target EC2 instance. Default is set to c5n.large. Type: String Default: c5n.large AllowedValues: - t2.medium - t2.large - t2.xlarge - t2.2xlarge - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5n.large - m5n.xlarge - m5n.2xlarge - m5n.4xlarge - m5n.8xlarge - m5n.12xlarge - m5n.16xlarge - m5n.24xlarge - c5n.large - c5n.xlarge - c5n.2xlarge - c5n.4xlarge - c5n.9xlarge - c5n.18xlarge TargetEC2InstanceRootVolumeSize: Description: Target instance disk size in GB. Default is set to 8 GB. Default: 8 Type: Number ConstraintDescription: Should be a valid instance size in GB. KeyPairName: Description: EC2 key pair required for accessing EC2 instance. Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: Must be the name of an existing EC2 key pair. LatestAmazonLinux2AmiId: Description: Latest Amazon Linux 2 AMI ID. Type: AWS::SSM::Parameter::Value Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' BastionSecurityGroupID: Description: ID of bastion security group to allow access to targets. Type: AWS::EC2::SecurityGroup::Id ConstraintDescription: Must be a valid security group ID. TrafficMirrorTargetType: Description: 'Choose NLB to deploy a Network Load Balancer and a target group with Suricata instances. For limited scale deployments, choose ENI and set NumTargetEC2Instances as 1. This deploys Suricata on a single EC2 instance as your Traffic Mirroring target.' Type: String Default: NLB AllowedValues: ['NLB', 'ENI'] ConstraintDescription: Must be a valid traffic mirror target type. Conditions: TargetTypeNLB: !Equals [!Ref TrafficMirrorTargetType, "NLB"] Resources: Nlb: Condition: TargetTypeNLB Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internal Type: network Subnets: - !Ref Subnet1ID - !Ref Subnet2ID Tags: - Key: Name Value: !Sub "${AWS::StackName}-nlb-1" TargetGroup: Condition: TargetTypeNLB Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Port: 4789 Protocol: UDP TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: '20' VpcId: !Ref VPCID HealthCheckPort: '80' HealthCheckProtocol: HTTP Tags: - Key: Name Value: !Sub "${AWS::StackName}-nlb1-tg1" Listener: Condition: TargetTypeNLB Type: AWS::ElasticLoadBalancingV2::Listener Properties: Port: 4789 Protocol: UDP DefaultActions: - Type: forward TargetGroupArn: !Ref TargetGroup LoadBalancerArn: !Ref Nlb TargetInstanceSg: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VPCID GroupName: !Sub "${AWS::StackName}-target-sg" GroupDescription: >- Access to target EC2 instance. Allow SSH and ICMP access from the desired CIDR. Allow all traffic from VPC CIDR. SecurityGroupIngress: - CidrIp: !Ref VPCCIDR IpProtocol: "-1" FromPort: -1 ToPort: -1 SecurityGroupEgress: - CidrIp: 0.0.0.0/0 IpProtocol: "-1" FromPort: -1 ToPort: -1 Tags: - Key: Name Value: !Sub "${AWS::StackName}-target-sg" TargetInstanceSgIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref TargetInstanceSg IpProtocol: "-1" FromPort: -1 ToPort: -1 SourceSecurityGroupId: !Ref BastionSecurityGroupID TargetInstanceRole: Type: AWS::IAM::Role Properties: Path: "/" ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - sts:AssumeRole Principal: Service: - !Sub 'ec2.${AWS::URLSuffix}' TargetInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref TargetInstanceRole TargetInstanceConfig: Type: AWS::AutoScaling::LaunchConfiguration Properties: ImageId: !Ref LatestAmazonLinux2AmiId KeyName: !Ref KeyPairName InstanceType: !Ref TargetEC2InstanceType IamInstanceProfile: !Ref TargetInstanceProfile SecurityGroups: - !Ref TargetInstanceSg BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeSize: !Ref TargetEC2InstanceRootVolumeSize UserData: Fn::Base64: | #!/bin/bash # Install required packages: yum update -y yum install httpd -y amazon-linux-extras install epel -y yum install yum-plugin-copr -y yum install libmaxminddb -y yum copr enable @oisf/suricata-6.0 -y yum install suricata -y # run suricata-update suricata-update # enable and start suricata service: systemctl enable suricata systemctl start suricata # Add ec2-user to suricata group: usermod -a -G suricata ec2-user # Add read-write permissions to /var/log/suricata and /var/lib/suricata chmod -R g+rw /var/log/suricata/ chmod -R g+rw /var/lib/suricata/ # Add index.html for health check: touch /var/www/html/index.html curl http://169.254.169.254/latest/dynamic/instance-identity/document > /home/ec2-user/iid export instance_az=$(cat /home/ec2-user/iid |grep 'availability' | awk -F': ' '{print $2}' | awk -F',' '{print $1}' | awk -F'"' '{print$2}') cat <> /var/www/html/index.html Amazon VPC Traffic Mirroring Targets

Welcom to Amazon VPC Traffic Mirroing!

Target is instantiated in $instance_az.

Happy Testing!

EOT # enable and start httpd service: systemctl enable httpd systemctl start httpd TargetInstanceASG: Type: AWS::AutoScaling::AutoScalingGroup Properties: LaunchConfigurationName: !Ref TargetInstanceConfig MinSize: !Ref NumTargetEC2Instances MaxSize: !Ref NumTargetEC2Instances TargetGroupARNs: [!If [TargetTypeNLB, !Ref TargetGroup, !Ref AWS::NoValue]] VPCZoneIdentifier: - !Ref Subnet1ID - !Ref Subnet2ID Tags: - Key: Name Value: !Sub "${AWS::StackName}-target-asg" PropagateAtLaunch: true UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: true Outputs: TargetInstanceASG: Description: Suricata instances Auto Scaling group. Value: !Ref TargetInstanceASG