Guía pública
Capture live network traffic using VPC Traffic Mirroring, deploy sensor instances with CloudFormation or CDK, and stream findings automatically to the platform. Audiencia: Platform engineers, network architects, security engineers. Tiempo típico de configuración: 15 minutes.
Capture live network traffic using VPC Traffic Mirroring, deploy sensor instances with CloudFormation or CDK, and stream findings automatically to the platform.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Solo demostración
Esta configuración está diseñada para facilitar el uso. Para desplegar clientes de escaneo a escala, planifique su arquitectura de despliegue en consecuencia o contáctenos para obtener las mejores prácticas empresariales.
Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.
Creates the AWS CDK project under `deploy/aws-network-sensor/` with the current platform API URL prefilled so the deployment commands on this page are runnable without editing boilerplate first.
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.6 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/aws-network-sensor.sh)
cd deploy/aws-network-sensor# 1. Create API Key Secret
aws secretsmanager create-secret \
--name blackshield/network-sensor-key-prod \
--secret-string "sp_your_ingestion_key"
# 2. Deploy Infrastructure
cd deploy/aws-network-sensor
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
# IMPORTANT: Edit cdk.json and replace vpc-REPLACE_ME and subnet-REPLACE_ME
# with your actual AWS IDs before deploying!
cdk bootstrap
cdk deploy --require-approval never"""CDK stack for the BlackShield AWS network sensor."""
from aws_cdk import Stack
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_iam as iam
from constructs import Construct
class NetworkSensorStack(Stack):
def __init__(self, scope: Construct, id: str, vpc_id: str, subnet_id: str, sensor_secret_name: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc.from_lookup(self, "Vpc", vpc_id=vpc_id)
subnet = ec2.Subnet.from_subnet_attributes(
self, "Subnet",
subnet_id=subnet_id,
availability_zone=vpc.availability_zones[0]
)
role = iam.Role(
self, "NetworkSensorRole",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore")]
)
role.add_to_policy(
iam.PolicyStatement(
actions=["secretsmanager:GetSecretValue"],
resources=[f"arn:aws:secretsmanager:${self.region}:${self.account}:secret:${sensor_secret_name}*"],
)
)
security_group = ec2.SecurityGroup(self, "SensorSG", vpc=vpc, description="Allow VXLAN")
security_group.add_ingress_rule(ec2.Peer.ipv4("10.0.0.0/8"), ec2.Port.udp(4789), "VXLAN")
instance = ec2.Instance(
self, "NetworkSensorInstance",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnets=[subnet]),
instance_type=ec2.InstanceType("t3.medium"),
machine_image=ec2.MachineImage.latest_amazon_linux2023(),
security_group=security_group,
role=role,
)#!/bin/bash
# Complete AWS VPC Traffic Mirroring setup script
SENSOR_ENI="eni-0123456789abcdef0" # Target Sensor ENI
SOURCE_ENI="eni-abcdef0123456789" # Production VM ENI
VNI=7392 # VXLAN Network Identifier (default)
echo "1. Creating Traffic Mirror Target..."
TARGET_ID=$(aws ec2 create-traffic-mirror-target \
--network-interface-id "$SENSOR_ENI" \
--description "Network Sensor Target" \
--query 'TrafficMirrorTarget.TrafficMirrorTargetId' \
--output text)
echo "2. Creating Traffic Mirror Filter (Capture all TCP/UDP)..."
FILTER_ID=$(aws ec2 create-traffic-mirror-filter \
--description "Capture all TCP/UDP" \
--query 'TrafficMirrorFilter.TrafficMirrorFilterId' \
--output text)
aws ec2 create-traffic-mirror-filter-rule \
--traffic-mirror-filter-id "$FILTER_ID" \
--traffic-direction INGRESS --rule-number 100 --rule-action accept \
--protocol 6 --source-cidr-block "0.0.0.0/0" --destination-cidr-block "0.0.0.0/0" > /dev/null
aws ec2 create-traffic-mirror-filter-rule \
--traffic-mirror-filter-id "$FILTER_ID" \
--traffic-direction INGRESS --rule-number 200 --rule-action accept \
--protocol 17 --source-cidr-block "0.0.0.0/0" --destination-cidr-block "0.0.0.0/0" > /dev/null
echo "3. Creating Traffic Mirror Session..."
SESSION_ID=$(aws ec2 create-traffic-mirror-session \
--network-interface-id "$SOURCE_ENI" \
--traffic-mirror-target-id "$TARGET_ID" \
--traffic-mirror-filter-id "$FILTER_ID" \
--session-number 1 \
--virtual-network-id "$VNI" \
--description "Production workload mirroring" \
--query 'TrafficMirrorSession.TrafficMirrorSessionId' \
--output text)
echo "Success! Mirror Session $SESSION_ID is routing traffic to $TARGET_ID"Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
Paso 1
Use the ready-made CDK stack to deploy a right-sized EC2 instance with the necessary IAM roles, security groups, and CloudWatch monitoring. This acts as the destination for mirrored traffic.
Cómo se ve el éxito
Note the newly created EC2 Instance ID and ENI (Elastic Network Interface) ID from the CDK outputs — you'll need this for the mirror target.
Paso 2
Define what traffic should be captured. A mirror filter contains inbound and outbound rules, similar to a Network ACL.
Cómo se ve el éxito
Keep the filter ID handy for the next step.
Helpful context
Paso 3
Route the filtered traffic from your production workloads (Source ENI) to your sensor instance (Target ENI).
Cómo se ve el éxito
Ensure the sensor's Security Group allows inbound UDP on port 4789 (VXLAN), which is how mirrored traffic is encapsulated.
Paso 4
Start the sensor container and verify that traffic is being successfully decapsulated and inspected.
Cómo se ve el éxito
Check the platform Findings view to see network-based alerts within 5 minutes.
Keep your rollout moving with the next recommended step.
Revisa y prioriza hallazgos