Analyzing Network Traffic

BACK

Analyzing Network Traffic

Services used: VPC, S3, Network ACLs

Languages used: N/A

Objective: Detect and deny network traffic from a specific IP address to increase security. Set up VPC Flow Logs in an Amazon S3 bucket. Read and analyze the flow logs. Create network ACL rules to block traffic. Reject outbound traffic by using a network ACL.

Search for and open S3.

Go to buckets and click Create bucket.

Give it the name vpc-flowlogs- followed by a series of random numbers to ensure that it has a globally unique bucket name. Select the N. Virginia AWS Region.

Scroll down to Object Ownership and enable ACLs. Choose Object writer. Scroll down and click Create bucket.

Select the VPC bucket and copy the ARN.

Search for and go to VPC.

Go to Your VPCs and select the Agricultural VPC. Go to the Flow logs tab and click Create flow log.

Give it the name my-vpc-flowlogs and Accept the Filter settings.

Scroll down to Destination and choose send to a S3 bucket. Paste the bucket ARN copied earlier. Scroll to the bottom and click Create flow log. Wait 5-10 minutes to process the logs.

Ensure that our flow log is displayed before continuing.

Return to the S3 console and go to Buckets. Click the VPC bucket Name.

Click the AWSLogs folder.

Click the next folder.

Click the refresh button until the vpcflowlogs/ folder appears. Once it appears, click the folder.

Continue going through the folders until you reach one that contains .gz files. Select the top files then click Download.

Open the downloaded file and locate any public IP address in the log file. In our case, the public IP is 67.220.242.18.

Return to the console and go to Network ACLs.

Select the Agricultural subnet and go to the Inbound rules tab. Click Edit inbound rules.

Click Add new rule. Enter 10 for Rule number and All traffic for Type. Paste the public IP address copied earlier and add /32 to the end. Choose Deny. Click Save changes.

Go to Subnets and select Agricultural subnet. Go to the Flow logs tab and select the flow log. Click Create flow log.

Give it the name my-blocked-flowlogs and select Reject for Filter.

Scroll down to Destination and select Send to S3 bucket. Paste the copied VPC bucket ARN from earlier. Scroll down and click Create flow log.

Go to the Flow logs tab and copy the two Flow log IDs for later use. Wait 5-10 minutes to process the logs.

Search for and go to S3.

Go to Buckets and click the VPC bucket name.

Go through the folders until you see the .gz file types. Select any Object file that matches the blocked-flowlogs ID copied earlier. Click Download.

Return to the Network ACLs console. Select the Agricultural subnet and go to the Outbound rules tab. Click Edit Outbound rules.

Click Add new rule. Enter 10 for Rule number and All traffic for Type. Paste the public IP address copied earlier and add /32 to the end. Choose Deny. Click Save changes. Success!