Public Guide
Capture live network traffic using VPC Traffic Mirroring, deploy sensor instances with CloudFormation or CDK, and stream findings automatically to the platform. Audience: Platform engineers, network architects, security engineers. Typical setup time: 15 minutes.
Capture live network traffic using VPC Traffic Mirroring, deploy sensor instances with CloudFormation or CDK, and stream findings automatically to the platform.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Demonstration only
This configuration is designed for ease of use. To deploy scanner clients at scale, please plan your deployment architecture accordingly or contact us for enterprise best practices.
Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.
Creates the AWS CDK project under `deploy/aws-network-sensor/` with the current platform API URL prefilled so the deployment commands on this page are runnable without editing boilerplate first.
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.6 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/aws-network-sensor.sh)
cd deploy/aws-network-sensor# 1. Create API Key Secret
aws secretsmanager create-secret \
--name blackshield/network-sensor-key-prod \
--secret-string "sp_your_ingestion_key"
# 2. Deploy Infrastructure
cd deploy/aws-network-sensor
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
# IMPORTANT: Edit cdk.json and replace vpc-REPLACE_ME and subnet-REPLACE_ME
# with your actual AWS IDs before deploying!
cdk bootstrap
cdk deploy --require-approval never"""CDK stack for the BlackShield AWS network sensor."""
from aws_cdk import Stack
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_iam as iam
from constructs import Construct
class NetworkSensorStack(Stack):
def __init__(self, scope: Construct, id: str, vpc_id: str, subnet_id: str, sensor_secret_name: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc.from_lookup(self, "Vpc", vpc_id=vpc_id)
subnet = ec2.Subnet.from_subnet_attributes(
self, "Subnet",
subnet_id=subnet_id,
availability_zone=vpc.availability_zones[0]
)
role = iam.Role(
self, "NetworkSensorRole",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore")]
)
role.add_to_policy(
iam.PolicyStatement(
actions=["secretsmanager:GetSecretValue"],
resources=[f"arn:aws:secretsmanager:${self.region}:${self.account}:secret:${sensor_secret_name}*"],
)
)
security_group = ec2.SecurityGroup(self, "SensorSG", vpc=vpc, description="Allow VXLAN")
security_group.add_ingress_rule(ec2.Peer.ipv4("10.0.0.0/8"), ec2.Port.udp(4789), "VXLAN")
instance = ec2.Instance(
self, "NetworkSensorInstance",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnets=[subnet]),
instance_type=ec2.InstanceType("t3.medium"),
machine_image=ec2.MachineImage.latest_amazon_linux2023(),
security_group=security_group,
role=role,
)#!/bin/bash
# Complete AWS VPC Traffic Mirroring setup script
SENSOR_ENI="eni-0123456789abcdef0" # Target Sensor ENI
SOURCE_ENI="eni-abcdef0123456789" # Production VM ENI
VNI=7392 # VXLAN Network Identifier (default)
echo "1. Creating Traffic Mirror Target..."
TARGET_ID=$(aws ec2 create-traffic-mirror-target \
--network-interface-id "$SENSOR_ENI" \
--description "Network Sensor Target" \
--query 'TrafficMirrorTarget.TrafficMirrorTargetId' \
--output text)
echo "2. Creating Traffic Mirror Filter (Capture all TCP/UDP)..."
FILTER_ID=$(aws ec2 create-traffic-mirror-filter \
--description "Capture all TCP/UDP" \
--query 'TrafficMirrorFilter.TrafficMirrorFilterId' \
--output text)
aws ec2 create-traffic-mirror-filter-rule \
--traffic-mirror-filter-id "$FILTER_ID" \
--traffic-direction INGRESS --rule-number 100 --rule-action accept \
--protocol 6 --source-cidr-block "0.0.0.0/0" --destination-cidr-block "0.0.0.0/0" > /dev/null
aws ec2 create-traffic-mirror-filter-rule \
--traffic-mirror-filter-id "$FILTER_ID" \
--traffic-direction INGRESS --rule-number 200 --rule-action accept \
--protocol 17 --source-cidr-block "0.0.0.0/0" --destination-cidr-block "0.0.0.0/0" > /dev/null
echo "3. Creating Traffic Mirror Session..."
SESSION_ID=$(aws ec2 create-traffic-mirror-session \
--network-interface-id "$SOURCE_ENI" \
--traffic-mirror-target-id "$TARGET_ID" \
--traffic-mirror-filter-id "$FILTER_ID" \
--session-number 1 \
--virtual-network-id "$VNI" \
--description "Production workload mirroring" \
--query 'TrafficMirrorSession.TrafficMirrorSessionId' \
--output text)
echo "Success! Mirror Session $SESSION_ID is routing traffic to $TARGET_ID"Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
Step 1
Use the ready-made CDK stack to deploy a right-sized EC2 instance with the necessary IAM roles, security groups, and CloudWatch monitoring. This acts as the destination for mirrored traffic.
What success looks like
Note the newly created EC2 Instance ID and ENI (Elastic Network Interface) ID from the CDK outputs — you'll need this for the mirror target.
Step 2
Define what traffic should be captured. A mirror filter contains inbound and outbound rules, similar to a Network ACL.
What success looks like
Keep the filter ID handy for the next step.
Helpful context
Step 3
Route the filtered traffic from your production workloads (Source ENI) to your sensor instance (Target ENI).
What success looks like
Ensure the sensor's Security Group allows inbound UDP on port 4789 (VXLAN), which is how mirrored traffic is encapsulated.
Step 4
Start the sensor container and verify that traffic is being successfully decapsulated and inspected.
What success looks like
Check the platform Findings view to see network-based alerts within 5 minutes.
Keep your rollout moving with the next recommended step.
Review and Prioritize Findings