AWS Amazon EC2 Traffic Mirror Session
This page shows how to write Terraform and CloudFormation for Amazon EC2 Traffic Mirror Session and write them securely.
aws_ec2_traffic_mirror_session (Terraform)
The Traffic Mirror Session in Amazon EC2 can be configured in Terraform with the resource name aws_ec2_traffic_mirror_session. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ec2_traffic_mirror_session" "this" {
description = var.description
network_interface_id = var.network_interface_id
packet_length = var.packet_length
session_number = var.session_number
tags = var.tags
resource "aws_ec2_traffic_mirror_session" "session" {
description = "traffic mirror session"
network_interface_id = "eni-1234567"
traffic_mirror_filter_id = "a-traffic-filter-id"
traffic_mirror_target_id = "a-traffic-target-id"
session_number = "1"
resource "aws_ec2_traffic_mirror_session" "session" {
description = var.mirror_session_description
network_interface_id = var.network_interface_id
traffic_mirror_filter_id = aws_ec2_traffic_mirror_filter.filter.id
traffic_mirror_target_id = aws_ec2_traffic_mirror_target.target.id
resource "aws_ec2_traffic_mirror_session" "session" {
description = "traffic mirror session"
network_interface_id = "eni-1234567"
traffic_mirror_filter_id = "a-traffic-filter-id"
traffic_mirror_target_id = "a-traffic-target-id"
session_number = "1"
Parameters
-
arnoptional computed - string -
descriptionoptional - string -
idoptional computed - string -
network_interface_idrequired - string -
owner_idoptional computed - string -
packet_lengthoptional - number -
session_numberrequired - number -
tagsoptional - map from string to string -
traffic_mirror_filter_idrequired - string -
traffic_mirror_target_idrequired - string -
virtual_network_idoptional computed - number
Explanation in Terraform Registry
Provides an Traffic mirror session.
Read limits and considerations for traffic mirroring
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::TrafficMirrorSession (CloudFormation)
The TrafficMirrorSession in EC2 can be configured in CloudFormation with the resource name AWS::EC2::TrafficMirrorSession. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::TrafficMirrorSession
Properties:
Description: !Sub Mirror traffic from first mirror source to ${TargetEni}
NetworkInterfaceId: !Select [0, !Ref SourceEniList ] # get the relevant element by index (zero-based) from SourceEniList
SessionNumber: 1 # this should be unique for each MirrorSession object
Tags:
Type: AWS::EC2::TrafficMirrorSession
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html
Properties:
TrafficMirrorTargetId: !Ref 'TrafficMirrorTargetId'
SessionNumber: !Ref 'SessionNumber'
NetworkInterfaceId: !Ref 'NetworkInterfaceId'
Type: AWS::EC2::TrafficMirrorSession
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html
Properties:
TrafficMirrorTargetId: !Ref 'TrafficMirrorTargetId'
SessionNumber: !Ref 'SessionNumber'
NetworkInterfaceId: !Ref 'NetworkInterfaceId'
Type: AWS::EC2::TrafficMirrorSession
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html
Properties:
TrafficMirrorTargetId: !Ref 'TrafficMirrorTargetId'
SessionNumber: !Ref 'SessionNumber'
NetworkInterfaceId: !Ref 'NetworkInterfaceId'
Type: AWS::EC2::TrafficMirrorSession
Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html
Properties:
TrafficMirrorTargetId: !Ref 'TrafficMirrorTargetId'
SessionNumber: !Ref 'SessionNumber'
NetworkInterfaceId: !Ref 'NetworkInterfaceId'
"Type": "AWS::EC2::TrafficMirrorSession",
"DependsOn" : "NetworkInterfaceTarget",
"Properties": {
"Description": "DDI traffic mirror session",
"NetworkInterfaceId": { "Ref" : "LinuxPort" },
"TrafficMirrorTargetId": { "Ref" : "NetworkInterfaceTarget" },
"Type" : "AWS::EC2::TrafficMirrorSession",
"Properties" : {
"NetworkInterfaceId": { "Ref": "NetworkInterface1" },
"SessionNumber": 1,
"TrafficMirrorTargetId": { "Ref": "TrafficMirrorTarget" },
"TrafficMirrorFilterId": { "Ref": "TrafficMirrorFilter1" },
"resourceType": "AWS::EC2::TrafficMirrorSession",
"filePath": null
},
{
"resourceType": "AWS::EC2::SubnetCidrBlock",
"filePath": null
"AWS::EC2::TrafficMirrorSession": {
"Type": "AWS::EC2::TrafficMirrorSession",
"Properties": {}
},
"AWS::Amplify::Branch": {
"Type": "AWS::Amplify::Branch",
"AWS::EC2::TrafficMirrorSession": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html",
"Properties": {
"TrafficMirrorTargetId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html#cfn-ec2-trafficmirrorsession-trafficmirrortargetid",
Parameters
-
TrafficMirrorTargetIdrequired - String -
Descriptionoptional - String -
SessionNumberrequired - Integer -
VirtualNetworkIdoptional - Integer -
PacketLengthoptional - Integer -
NetworkInterfaceIdrequired - String -
TrafficMirrorFilterIdrequired - String -
Tagsoptional - List of Tag
Explanation in CloudFormation Registry
Creates a Traffic Mirror session.
A Traffic Mirror session actively copies packets from a Traffic Mirror source to a Traffic Mirror target. Create a filter, and then assign it to the session to define a subset of the traffic to mirror, for example all TCP traffic.
The Traffic Mirror source and the Traffic Mirror target (monitoring appliances) can be in the same VPC, or in a different VPC connected via VPC peering or a transit gateway. By default, no traffic is mirrored. Use AWS::EC2::TrafficMirrorFilterRule to specify filter rules that specify the traffic to mirror.
Frequently asked questions
What is AWS Amazon EC2 Traffic Mirror Session?
AWS Amazon EC2 Traffic Mirror Session is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Traffic Mirror Session?
For Terraform, the niveklabs/aws, gilyas/infracost and JamesWoolfenden/terraform-aws-trafficmirror source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the seek-ret/installation, awslabs/aws-service-catalog-products and awslabs/aws-service-catalog-products source code examples are useful. See the CloudFormation Example section for further details.
