Overview

This guide provides comprehensive instructions for deploying Enigma’s traffic analysis solution in your Amazon Web Services (AWS) environment.

Enigma’s traffic analysis solution works by capturing network traffic via AWS Traffic Mirroring, analyzing it through our specialized collectors, and providing actionable security insights through our AI dashboard.

Architecture

The Enigma solution’s architecture consists of:

Enigma AI Dashboard: Web interface for viewing analysis results and security insights

Traffic Sources: Your existing EC2 instances and resources in AWS that generate network traffic

Traffic Mirroring: AWS’s capability to copy network traffic without service disruption

Enigma Collector(s): Specialized instances that process and analyze network traffic

Prerequisites

Before beginning the installation, ensure you have:

• An AWS account with appropriate permissions to:
  • Create and modify VPCs and subnets
  • Launch EC2 instances
  • Configure auto scaling groups
  • Set up load balancers
  • Configure traffic mirroring
  • Create IAM roles and policies
• Existing VPC with running workloads (EC2 instances)
• Your unique API key provided by your Enigma representative

Deployment Options

Enigma offers three deployment options to accommodate different organizational needs:

Option 1: Standard Deployment (Same VPC)

Overview: Deploy the Enigma collector infrastructure within your existing VPC, using a load balancer and auto-scaling group.

Best for: Most organizations, standard production environments, direct integration with existing resources.

Advantages:

• Simplified deployment within existing infrastructure
• Reduced networking complexity
• Direct access to resources being monitored
• Efficient traffic flow without crossing VPC boundaries

Technical Architecture:

• Collector EC2 instances in your existing VPC
• Network Load Balancer for traffic distribution
• Auto Scaling Group for high availability
• Traffic mirroring configured within the same VPC

Option 2: Security VPC Deployment (Enhanced Isolation)

Overview: Deploy the Enigma collector infrastructure in a separate VPC dedicated to security monitoring.

Best for: Organizations with strict security isolation requirements or multiple existing VPCs to monitor.

Advantages:

• Security monitoring isolated from production workloads
• Can monitor multiple VPCs from a centralized location
• Enhanced security control and governance
• Reduced exposure of monitoring infrastructure

Technical Architecture:

• Dedicated security VPC for Enigma infrastructure
• VPC peering or Transit Gateway connections to workload VPCs
• Cross-VPC traffic mirroring configuration
• Independent security controls for monitoring infrastructure

Option 3: Security Account Deployment (Maximum Isolation)

Overview: Deploy the Enigma collector infrastructure in a completely separate AWS account dedicated to security functions.

Best for: Enterprises with stringent security requirements, organizations following strict compliance frameworks, multi-account environments.

Advantages:

• Complete account-level isolation of security infrastructure
• Alignment with AWS best practices for multi-account security
• Centralized security monitoring across all organizational accounts
• Independent IAM governance and access controls
• Simplified compliance and audit processes

Technical Architecture:

• Dedicated AWS account for security functions
• AWS Organizations integration
• Cross-account traffic mirroring
• Centralized logging and monitoring

Deployment Instructions

Option 1: Standard Deployment (Same VPC)

Follow these steps to deploy the Enigma collector within your existing VPC:

1. Set Up Collector Infrastructure

1.1 Create Collector Instance Template

1. Navigate to EC2 Console > Launch Template > Create Template
2. Configure the template:
   • AMI: Ubuntu 22.04 LTS
   • Instance Type: t3.medium (minimum recommendation)
   • Security Group: Create new or use existing with UDP port 4789 open
   • SSH Key: Create new or use existing
3. Complete template creation and download the SSH key if you created a new one

1.2 Create Collector Auto Scaling Group

1. Go to EC2 Console > Auto Scaling Groups > Create Auto Scaling Group
2. Select the instance template created in the previous step
3. Configure the Auto Scaling Group:
   • Desired Capacity: 1
   • Subnet: Select subnets in your VPC
4. Review and create the Auto Scaling Group

2. Configure Load Balancing

2.1 Create Target Group

1. Navigate to EC2 Console > Target Groups > Create Target Group
2. Configure the target group:
   • Target Type: Instances
   • Protocol: UDP
   • Port: 4789
   • VPC: Select your VPC
3. Register targets from your Auto Scaling Group
4. Create the target group

2.2 Create Network Load Balancer

1. Go to EC2 Console > Load Balancers > Create Load Balancer
2. Select Network Load Balancer
3. Configure the load balancer:
   • Scheme: Internal
   • IP Address Type: IPv4
   • VPC: Select your VPC
   • Mappings: Select subnets
4. Configure listener:
   • Protocol: UDP
   • Port: 4789
   • Default Action: Forward to your target group
5. Create the load balancer

3. Set Up Traffic Mirroring

3.1 Create Traffic Mirroring Target

1. Navigate to VPC Console > Traffic Mirroring > Mirror Targets > Create Traffic Mirror Target
2. Select Network Load Balancer as the target type
3. Choose the Network Load Balancer created in the previous step
4. Create the mirror target

3.2 Create Traffic Mirroring Filter

1. Go to VPC Console > Traffic Mirroring > Mirror Filters > Create Traffic Mirror Filter
2. Add inbound rules:
   • Allow TCP (protocol 6)
   • Allow UDP (protocol 17)
   • Allow ICMP (protocol 1)
3. Create the mirror filter

3.3 Create Traffic Mirroring Session

For each network interface you want to monitor:

1. Navigate to VPC Console > Traffic Mirroring > Mirror Sessions > Create Traffic Mirror Session
2. Configure the session:
   • Mirror Source: Select the ENI (Elastic Network Interface) to monitor
   • Mirror Target: Select your mirror target (NLB)
   • Mirror Filter: Select your mirror filter
   • Session Number: Assign a unique number (1-32766)
   • Virtual Network ID: 100 (or any unique VXLAN ID)
3. Create the mirror session

4. Install the Enigma Agent

Based on the VM’s OS please use one of the following docs to install Enigma Agent on the VM:

• Ubuntu/Debian Agent Install

Option 2: Security VPC Deployment (Enhanced Isolation)

1. Create Security VPC

1. Navigate to VPC Console > Your VPCs > Create VPC
2. Configure the VPC:
   • Name: enigma-security-vpc
   • IPv4 CIDR: Choose a non-overlapping CIDR block (e.g., 10.100.0.0/16)
3. Click Create VPC

2. Create Subnets in Security VPC

1. Go to VPC Console > Subnets > Create subnet
2. Create at least two subnets in different Availability Zones:
   • Name: enigma-security-subnet-az1
   • VPC: Select the security VPC
   • Availability Zone: Choose first AZ
   • IPv4 CIDR: Choose appropriate CIDR (e.g., 10.100.1.0/24)
3. Repeat for second subnet in different AZ

3. Set Up VPC Connectivity

Option A: VPC Peering (Simpler, for monitoring a single VPC)

1. Navigate to VPC Console > Peering Connections > Create Peering Connection
2. Configure the peering:
   • Name: workload-to-security-peering
   • Requester: Security VPC
   • Accepter: Workload VPC
3. Create peering connection
4. Accept the peering connection request
5. Update route tables in both VPCs to allow traffic flow through the peering connection

Option B: Transit Gateway (More complex, for monitoring multiple VPCs)

1. Go to VPC Console > Transit Gateways > Create Transit Gateway
2. Create Transit Gateway with default settings
3. Create Transit Gateway attachments for the Security VPC and each Workload VPC
4. Update route tables to route traffic through the Transit Gateway

4. Configure Collector Infrastructure in Security VPC

Follow the steps in Option 1 (Sections 1 and 2) to set up the collector instances, auto-scaling group, and load balancer, but deploy everything in the Security VPC.

5. Set Up Cross-VPC Traffic Mirroring

1. Create the Traffic Mirroring Target in the Security VPC as in Option 1
2. Create the Traffic Mirroring Filter as in Option 1
3. Create Traffic Mirroring Sessions for each ENI in the Workload VPC, but direct traffic to the mirroring target in the Security VPC

6. Install the Enigma Agent

Install the Enigma agent on the collector instance as described in Option 1, Step 4.

Option 3: Security Account Deployment (Maximum Isolation)

1. Prepare Security Account

1. If using AWS Organizations, create a dedicated account for security functions
2. If not using AWS Organizations, create a new AWS account and establish appropriate IAM roles

2. Set Up Cross-Account Access

In the Security Account, create an IAM role that allows the Workload Account to mirror traffic:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::WORKLOAD_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition":
    }
  ]
}

Attach policies to allow traffic mirroring:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTrafficMirrorSession",
        "ec2:DescribeTrafficMirrorSessions",
        "ec2:DescribeTrafficMirrorTargets",
        "ec2:DescribeTrafficMirrorFilters"
      ],
      "Resource": "*"
    }
  ]
}

3. Create Security VPC in Security Account

Create a VPC in the Security Account following the steps in Option 2, Section 1.

4. Establish VPC Connectivity Between Accounts

Using AWS Transit Gateway (Recommended)

1. Create a Transit Gateway in the Security Account
2. Share the Transit Gateway with the Workload Account using AWS Resource Access Manager
3. Create Transit Gateway attachments in both accounts
4. Update route tables in both accounts

5. Deploy Collector Infrastructure in Security Account

Follow the steps in Option 1 (Sections 1 and 2) to set up the collector infrastructure in the Security Account VPC.

6. Configure Cross-Account Traffic Mirroring

1. In the Security Account, create the Traffic Mirroring Target
2. In the Security Account, create the Traffic Mirroring Filter
3. In the Workload Account, assume the cross-account role and create Traffic Mirroring Sessions that point to the target in the Security Account

7. Install the Enigma Agent

Install the Enigma agent on the collector instance as described in Option 1, Step 4.

Verification and Troubleshooting

After completing the installation, verify that your Enigma solution is working properly:

Verification Steps

1. Check Instance Status:
   • Ensure all collector instances are running
   • Verify they can access the internet
2. Verify Traffic Mirroring:
   • Check that your Traffic Mirror Sessions are in “Active” state
   • SSH into a collector instance and use tcpdump to verify traffic is being received: sudo tcpdump -i any -n udp port 4789
   • Generate some test traffic between monitored instances and confirm it appears
3. Verify Agent Installation:
   • SSH into collector instances
   • Check the Enigma agent logs: sudo tail -f /opt/enigma/log/capture.log
   • Look for successful packet captures and processing
4. Access the Enigma Dashboard:
   • Log in to the Enigma AI dashboard at https://enigmaai.net/
   • Verify that data is being received (may take up to 1 hour)

Common Issues and Solutions

1. No traffic visible in tcpdump:
   • Verify Traffic Mirror Session is active
   • Check that monitored instances are generating traffic
   • Confirm security groups allow UDP 4789
   • Ensure route tables are correctly configured for cross-VPC/cross-account setups
2. Agent Installation Failures:
   • Verify your instance has internet access
   • Ensure you’re using a supported OS version
   • Check you have sufficient permissions
3. No data transmitted to Enigma:
   • Ensure NLB health checks are passing
   • Verify packet captures contain expected traffic
   • Check network connectivity between components
4. VPC Peering or Transit Gateway Issues:
   • Verify connections are active
   • Check route tables in all VPCs
   • Ensure security groups allow necessary traffic

Accessing the Enigma AI Dashboard

After successful installation, follow these steps to access the Enigma AI dashboard:

1. Contact your Enigma account representative to provide email addresses for users who need dashboard access
2. Users will receive account setup instructions via email
3. Follow the instructions to set up multi-factor authentication (MFA)
4. Log in to the Enigma AI dashboard at https://enigmaai.net/