Open Source Security & Monitoring in AWS: Infrastructure-as-Code

November 21, 2019



TLDR: Nubeva has launched new cloud formation templates for Amazon AWS.  These will allow open source monitoring and analytical tools to see fully decrypted packet traffic in public and private clouds when paired with Nubeva Transport Layer Security (TLS) Decrypt. The templates provide infrastructure-as-code solutions that can launch cloud-ready, scalable, resilient and amazon web services (AWS) Well-Architected environment. Included are open source network monitoring solutions Moloch, Suricata, Zeek, Wireshark and ntopng.

Read Time: ~5 minutes 30 seconds

Nubeva Cloud Tools are a production-scale, open source, cloud security and monitoring suite that is delivered as infrastructure as code for Amazon AWS. Combining Moloch, Suricata, Zeek (formerly Bro), Wireshark and ntopng, Nubeva’s Cloud Tools are pre-configured with Nubeva TLS Decrypt so that each tool has decrypted visibility into cloud workloads including inter and intra- container traffic.


In addition to completing the legwork to make each of these common open source tools run in AWS, they are each architected to be independently scalable and highly resilient. The tool suite makes use of native AWS cloud services and is push-button simple. This is not a simple collection of static AMIs. Rather it is a fully-automated, elastic and load balanced security tool farm that is free. Nubeva Cloud Tools can even automate test clients that provide instant push-button proof for out-of-band TLS 1.3 decryption.


This infrastructure as code (IaC) approach is an important step forward for the enterprise cloud community. IaC is a way to automate the provisioning and management of IT systems through source code and automation tools instead of manual processes and home-grown scripts. This version of Nubeva Cloud Tools is designed for Amazon AWS and makes use of AWS CloudFormation templates and official AWS Quick Starts. Nubeva Cloud Tools are built according to the AWS Well-Architected framework. They make use of native AWS systems and services like the Amazon Elasticsearch Service, Amazon VPC traffic mirroring, Elastic Load Balancing and Auto Scaling groups. 


Nubeva Cloud Tools are launched right from within the Nubeva TLS Decrypt UI with a single click.


Users are taken to the master AWS CloudFormation template which embeds other CFTs and Amazon Quick Starts (for creating a new VPC for example). Users who desire more oversight and control of the CFTs can review and modify the .yaml files for their own environments.


Upon completing several CFT form fields, users click one button and a production-class, decrypted visibility tool farm is created automatically. Users can decide to install all or just some of the most common and useful open source tools that come with this initial release. Each tool is pre-configured with Nubeva TLS Decrypt so that each tool is unencumbered by TLS 1.3, forward secrecy and other encryption that is ubiquitous in the cloud.


  • Wireshark is perhaps the best known full packet analyzers for network troubleshooting, analysis and protocol review.
  • Moloch allows users to write packet traffic to file to store and have it indexed and searchable. It is useful for compliance, threat hunting and performance optimization.
  • ntopng is a high-speed, web-based traffic analysis and flow collection tool for visualization of traffic flows.
  • Suricata is a free and open source, mature, fast and robust network threat detection engine. A pre-configured Kibana dashboard displays the Nubeva Cloud Tools output for Suricata. 
  • Zeek is a powerful network analysis framework for intrusion detection.

Each tool is production ready with ability to define the number of EC2 instance nodes in each tool Auto Scaling group. Each Auto Scaling group is created automatically with the IaC approach. Additionally, Elastic Load Balancers are created for each tool to ensure resiliency and efficiency.


Notably, the Amazon Elasticsearch Service is used for Moloch, Suricata and Zeek to store the logs and data.


Instead of creating a standalone Elasticsearch server, Nubeva Cloud Tools uses the Elasticsearch service for ease and resiliency. This way, Amazon Elasticsearch Service preserves tool data even through the tools scaling up and down. This allows users to do better hunting, detection or tracing of anomalies and IOCs over time, even if the specific instance of the tool that found and logged it no longer exists.


Finally, each tool is pre-configured with Amazon VPC traffic mirroring. The tool targets have been built, users simply need to add their sources and mirrored traffic will start flowing to the tools. If users are unfamiliar with Amazon VPC traffic mirrors or if they are unable to use them, Nubeva Prisms can also be used to mirror packet traffic to your tool suite destinations. Simply point Nubeva Prisms agent to the DNS name of the load balancer for the tool to which you want to send traffic.


Nubeva Cloud Tools are the first free, open source, security and monitoring tools that are designed to run at enterprise scale, in the cloud. They represent a huge leap forward in automation, security and resiliency of decrypted visibility in the cloud. We invite you to try them today!


Tags: cloud monitoring Netflow cloudvisibility alert triage anomaly detection
View video