Support Automation Workflow (SAW) Runbook: AWSSupport-ConfigureTrafficMirroring
How can I use the AWSSupport-ConfigureTrafficMirroring Systems Manager Automation runbook to configure traffic mirroring for content inspection, threat monitoring, or troubleshooting?
In this article, I will show you how to use the AWSSupport-ConfigureTrafficMirroring, Systems Manager automation runbook to configure traffic mirroring between Source (the network interface to monitor) and Target (the destination for mirrored traffic). This is useful when you want to use Amazon VPC feature to copy network traffic from an Elastic Network Interface (ENI) of type
interface. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring, or troubleshooting.
The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind either a Network Load Balancer with a User data gram protocol (UDP) listener or a Gateway Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice. If you choose to enable traffic mirroring on ENIs, ENI owner pays hourly for each ENI that is enabled with traffic mirroring. If you no longer wish to be charged for traffic mirroring, simply disable traffic mirroring on EC2 Instance ENIs using the AWS Management Console, command line interface, or API. For information about pricing, see VPC pricing.
How it works?
Traffic mirroring copies inbound and outbound traffic from the network interfaces that are attached to your instances. To configure traffic mirroring, this runbook creates the required targets, filters, and sessions. By default, the runbook configures mirroring for all inbound and outbound traffic for all protocols except Amazon DNS. If you want to mirror traffic from specific sources and destinations, you can modify the inbound and outbound rules after the automation completes. For more information how to modify traffic mirroring filter rules, see Modify your traffic mirror filter rules.
You can find more information how traffic mirroring works here.
The successful runbook execution will show you the output of Target ID, Filter ID and Session ID.
Before running the automation make sure your IAM user or the role has the permissions listed in the Required IAM permissions section.
- Navigate to the Systems Manager console .
- In the navigation pane, choose Documents.
- In the search bar, type the following AWSSupport-ConfigureTrafficMirroring.
- Select AWSSupport-ConfigureTrafficMirroring document.
- Click on Execute automation.
- For the input parameters enter the following:
- AutomationAssumeRole (optional): This is the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation will use the permissions of the user that starts this runbook.
- SourceENI (required): The elastic network interface you want to configure traffic mirroring for.
- Target (required): The destination for the mirrored traffic. You must specify the ID of a network interface, a Network Load Balancer, or a Gateway Load Balancer endpoint. If you specify a Network Load Balancer, there must be UDP listeners on port 4789.
- SessionNumber (required): The number of the mirror session you want to use. Valid values: 1-32766.
The following example demonstrates how to use the AWSSupport-ConfigureTrafficMirroring automation runbook in order to configure traffic mirroring between Source (the network interface to monitor) and Target (the destination for mirrored traffic).
- Click on Execute.
- You should see that the automation has been initiated.
- Once completed, you can review the Outputs section for the detailed results of the execution.
To view your traffic mirror sessions using the console:
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Traffic Mirroring, Mirror Sessions.
- Select the ID of the traffic mirror session from the runbook output field
CreateSession.SessionIdto open its details page.
In this article, I demonstrated how to configure traffic mirroring between two ENIs using the SAW runbook AWSSupport-ConfigureTrafficMirroring, available in the System Manager.
Systems Manager Automation
Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html
Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html
Documentation related to the AWS service
For more information how to run this runbook, please see the AWS public document: AWSSupport-ConfigureTrafficMirroring.
To help you troubleshoot, remediate, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the AWS provided predefined runbooks . These runbooks are prefixed with “AWSSupport-“ or “AWSPremiumSupport-“.