Fellow security peeps,
What are you using for your AWS (N)IDS solution?
We're currently using Suricata on our most business critical applications (EC2 instances about ~1200 total). Company is moving towards Kubernetes/EKS/Microservices. TLS is used to encrypt most of our traffic, with a lot of internal traffic being encrypted with rotating self-signed certificates. This makes decryption a pain in the ass to manage and therefore an IDS is less effective with traffic over ssl (unless we find a way to MITM and manage all the keys for decryption).
I'm looking to re-architect our IDS solution since it's proving difficult to manage + update rulesets across all of our applications (we have to build a new AMI to update rulesets), TLS is starting to pose a problem, and we don't have strong visibility into our container traffic at the moment (also over ssl — we can potentially use sidecars to mitigate this).
Any suggestions as I venture forth on this journey?
What's your AWS environment like and what are you using for network traffic analysis?
A bit stuck at the moment so any advice is most appreciated. Was looking at going the VPC traffic mirroring route to a load-balanced Suricata ASG, but still the issue with TLS remains — perhaps we can propose to standardize the certs we're using.