Using AWS Flow Logs to Detect Network Intruders


How do you know if there are people in your network that shouldn’t be?  The easiest way to know is by using your AWS Flow Logs.  It is an AWS feature that captures meta data from all IP traffic flowing through your AWS network.  It captures information such as IPs, ports, and protocols (no data payload) that allows you to see what is legitimate traffic and what is not.

Unfortunately, Amazon doesn’t make it easy. AWS gives you an API and a console to access this information.  With the console, you can only search through one network interface at a time.  If you are running multiple nodes, you will have to look through each interface one at a time.  Or, you can use the API and write a program to sort through it the data.


This is where can help you out.  We will pull the data nightly and create a dashboard for you to review. We parse the mountains of information into actionable data so you don’t have to.


We also provide value-added information by cross referencing the IP list with malicious threat lists. You can see at a glance if your network is communicating with known bad IPs and what threat level these IPs are to you.  For example, you most likely don’t want to leave port 3389 (Windows remote desktop protocol) or port 3306 (MySQL) open to the internet.  The table below shows that these ports are being actively scanned by malicious sources.


Head on over to to see how we can help you out and produce a useful daily dashboard on what is happening in your cloud.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s