Who is breaking into your EC2 instance? Find out with Flow Logs
Ever wondered who is trying to break into your EC2 instance? Or why your micro-service architecture works sometimes, and not others? Or if your Database's security group is correctly configured to block everyone but your webapp?
Watch our short video (2:42) to find out, and don't forget about our 30-day free trial:
AWS has a feature called VPC Flow Logs that logs all packets coming and going from your instance. It's powerful and inexpensive. But AWS dumps all of your data into CloudWatch Logs, and leaves it up to you to make sense of the data:
Are these incomprehensible, or is just me?
Enter PiaSoft's Flow Log Viewer. These are logs from the very same instance:
Our Flow Log viewer organizes data into sortable columns, performs reverse DNS lookups on all IPs, annotates your private IPs for easy identification, and maps ports and protocols to familiar services (like ssh, SMB, mysql, etc).
With these two tools, you can do things like:
See all accepted connections to your instance. Is there anything fishy here?
See ports on your instance that are accepting connections. Did you mean to leave that open?
See IPs that are connecting to your instance over and over. Is this an attack? Should you block that IP?
See if a packet that was REJECTed should have been ACCEPTed to debug a security group.