Request Demo
Tutorials

Tutorials

Installing Security Traffic Analyzer (STA)

This tutorial explains how to install the Coralogix Security Traffic Analyzer to monitor your AWS infrastructure for security issues and improve your organization’s security posture. We’ll start with the system and environment requirements of the STA and next we’ll go through the steps that are required for installing it.

System and environment requirements:

  1. A security group that will be used as the security group of the management interface (eth2) of the STA. This security group should at least allow the following communications:
    1. Outbound: To Coralogix on port 443/tcp (to send the data)
    2. Outbound: To anywhere on the Internet on port 43/tcp (whois)
    3. Outbound: To s3.amazonaws.com on port 80/tcp
    4. Outbound: To the relevant endpoints and protocols for your AWS region as detailed in this document: https://docs.aws.amazon.com/general/latest/gr/s3.html
    5. Outbound: To download.docker.com on port 443/tcp
    6. Outbound: To APT repositories on ports 80/tcp and 443/tcp
    7. Inbound: At least from your computer on port 22/tcp
  2. A private key that will be used to connect to the STA via SSH. Since the STA is usually exposed to highly sensitive information, and SSH access to it is almost never required, we strongly recommend that you’ll use a dedicated key for the STA and store it only once on a safe place and that you won’t make any additional copies of it.
  3. At least one available Elastic IP in your AWS account
  4. An S3 bucket for holding the STA configuration files (optional but highly recommended)
  5. An S3 bucket for keeping compressed pcap files (optional but recommended)
  6. The name and ID of the VPC you would like the STA to be installed in
  7. The name and ID of the subnet you would like the STA to be connected to
  8. If you would like to run the STA as a spot fleet, the maximum hourly price you or your organization is willing to pay AWS for the instance of the STA
  9. The application and subsystem names you would like to assign the data from this STA instance

What’s in the package? (or What will be installed)

During the installation, the following components will be installed in your AWS account depending on the choices you make on the installation UI:

  1. Spot fleet installation:
    1. IAM role and an instance profile with the following permissions (these are the default permissions and they should be limited manually to specific objects after the STA is installed):
      1. sts:AssumeRole for services ec2.amazonaws.com and spotfleet.amazonaws.com – This allows the EC2 and SpotFleet services to use this IAM role.
      2. cloudformation:DescribeStackResource on * – This is required by code in the instance to find out whether it was installed properly.
      3. elasticloadbalancing:DescribeInstanceHealth on * – This is required by code in the instance to find out whether it was installed properly.
      4. elasticloadbalancing:RegisterTargets on * – This is required for attaching two additional ENIs to the STA upon first boot of the spot.
      5. ec2:* on * – Required by the STA fleet manager to launch new spots or terminate spots. Also, this is required for attaching two additional ENIs to the STA upon first boot of the spot.
      6. s3:* on * – Required for S3 access to the config & packets buckets
    2. VPC Traffic Mirror Filter – This object is being created as a stub to help you set up a mirroring session later. Without a mirror session (which is NOT created by the CloudFormation template) this object won’t do anything – This mirror filter is built with an empty policy, meaning that by using it as-is in a mirroring session you will essentially mirror every traffic from and to the mirrored ENI.
    3. VPC Traffic Mirror Target – This mirror target points at the sniffing NLB. Without a mirror session (which is NOT created by the CloudFormation template) this object won’t do anything and will simply facilitate the creation of a VPC Traffic Mirroring Session.
    4. A Security Group for the capturing interfaces (eth0 and eth1) – These security groups allow the mirroring traffic to reach the STA for analysis and is attached (on the first boot of the STA instance) to the first two network interfaces which are used by the STA for packet capturing (the first one is for VXLAN encapsulated traffic from AWS VPC Mirroring and the second one is for raw traffic). By default, this security group allows all traffic to these network interfaces. Since that there are no daemons listening on these network interfaces this doesn’t affect the security of the STA.
    5. An AWS ElasticIP which will be used as the STA’s public IP when sending the logs to Coralogix as well as for other outbound connections. This IP will be associated (on the first boot of the STA) with the third network interface and will also be used for connecting to the STA via SSH.
    6. An NLB, NLB Listener and an NLB target group which will be used for sending the mirrored traffic to the STA. The STA instance will be automatically registered as a target in this NLB target group by the CloudFormation process. Although the instance will appear as unhealthy in this target group this is perfectly normal and expected.
    7. If selected that Wazuh/AWS Inspector integration is needed the following will be added:
      1. An NLB, NLB Listener and an NLB target group and two NLB listeners (one for Wazuh registrations and another for Wazuh traffic) will be created during the CloudFormation process and will be attached upon first boot of the STA.
    8. A spot fleet – This is the spot fleet that will launch the STA spot instance.
    9. The installation process will also set the SSH key pair for the STA instance to the key pair selected on the CloudFormation form.
    10. Upon first boot the STA will associate the security group you’ve selected on the CloudFormation form with the management network interface (eth2)
  2. On-demand installation:
    1. IAM role and an instance profile with the following permissions (these are the default permissions and they should be limited manually to specific objects after the STA is installed):
      1. sts:AssumeRole for services ec2.amazonaws.com – This allows the EC2 service to use this IAM role.
      2. cloudformation:DescribeStackResource on * – This is required by code in the instance to find out whether it was installed properly.
      3. elasticloadbalancing:DescribeInstanceHealth on * – This is required by code in the instance to find out whether it was installed properly.
      4. elasticloadbalancing:RegisterTargets on * – This is required for attaching two additional ENIs to the STA upon first boot of the spot.
      5. ec2:* on * – Required for attaching two additional ENIs to the STA upon first boot of the instance.
      6. s3:* on * – Required for S3 access to the config & packets buckets
    2. VPC Traffic Mirror Filter – This object is being created as a stub to help you set up a mirroring session later. Without a mirror session (which is NOT created by the CloudFormation template) this object won’t do anything – This mirror filter is built with an empty policy, meaning that by using it as-is in a mirroring session you will essentially mirror every traffic from and to the mirrored ENI.
    3. VPC Traffic Mirror Target – This mirror target points at the sniffing NLB. Without a mirror session (which is NOT created by the CloudFormation template) this object won’t do anything and will simply facilitate the creation of a VPC Traffic Mirroring Session.
    4. A Security Group for the capturing interfaces (eth0 and eth1) – These security groups allow the mirroring traffic to reach the STA for analysis and is attached (on the first boot of the STA instance) to the first two network interfaces which are used by the STA for packet capturing (the first one is for VXLAN encapsulated traffic from AWS VPC Mirroring and the second one is for raw traffic). By default, this security group allows all traffic to these network interfaces. Since that there are no daemons listening on these network interfaces this doesn’t affect the security of the STA.
    5. An AWS ElasticIP which will be used as the STA’s public IP when sending the logs to Coralogix as well as for other outbound connections. This IP will be associated (on the first boot of the STA) with the third network interface and will also be used for connecting to the STA via SSH.
    6. An NLB, NLB Listener and an NLB target group which will be used for sending the mirrored traffic to the STA. The STA instance will be automatically registered as a target in this NLB target group by the CloudFormation process. Although the instance will appear as unhealthy in this target group this is perfectly normal and expected.
    7. If selected that Wazuh/AWS Inspector integration is needed the following will be added:
      1. An NLB, NLB Listener and an NLB target group and two NLB listeners (one for Wazuh registrations and another for Wazuh traffic) will be created during the CloudFormation process and will be attached upon first boot of the STA.
    8. An EC2 instance – For hosting the STA.

The installation process of the STA:

  1. Contact Coralogix customer support to enable the Cloud Security feature for your account
  2. Login to your Coralogix account and then navigate to Settings => Cloud Security
  3. Set the application and subsystem names you would like to assign the data from this STA instance
  4. Select whether Wazuh/AWS Inspector is needed
  5. Select the size of the STA you’ll need (small, medium or large)
  6. Select whether the STA instance should run as a spot fleet or as an on-demand instance
  7. Select the AWS region in which you would like the STA to be installed in (normally, the best option is in the same region where the instances you’d like to monitor are)
  8. On another tab, make sure you are logged on with the correct AWS account
  9. Click on the “LAUNCH AWS CLOUDFORMATION” button. You’ll be redirected to an AWS CloudFormation form
  10. In the AWS CloudFormation form, choose the instance type you would like to use (applicable for on-demand installations only)
  11. Set the name of the S3 bucket you would like the STA to use to update/pull configuration to/from (optional but highly recommended)
  12. Set the SSH key name you would like to use for the STA
  13. Set the security group that will be used for the management interface
  14. Set the name of the S3 bucket you would like the STA to upload compressed pcap files to. (optional but recommended. If you chose to use it just remember to create a lifecycle cleanup hook on this bucket to prevent it from growing too large.
  15. Set the subnet and VPC IDs you would like the STA to be connected to
  16. Tick the box below that says “I acknowledge that AWS CloudFormation might create IAM resources.”
  17. Click “Create stack”. While it is creating all the necessary resources in your AWS account, you can go ahead and install the Automatic VPC Traffic Mirroring handler as described here.

Now, after you have completed these steps you are probably wondering what are the coolest features of the STA, you can find them here.

Start solving your production issues faster

Let's talk about how Coralogix can help you

Managed, scaled, and compliant monitoring, built for CI/CD

Get a demo

No credit card required

Get a personalized demo

Jump on a call with one of our experts and get a live personalized demonstration