This is an amazing service. At this point, combined with the CloudWatch to Kinesis announcement earlier, AWS can pretty much act as a near-realtime IDS. If every packet headed into the VPC can be collected, analyzed, and acted upon, the opportunity is endless.

On a practical note, I enabled this on an account and have setup metrics filters. Being able to see charts and graphs of failed SSH attempts and attacks by port is really cool.

The issue at this point is the lack of full packet capture.

It's so hard to keep up with all the new features. This is so cool -- I'm excited to see people use it. Now if only I had the traffic to play with it.

Even if you run a low-traffic or no-traffic instance you'll almost undoubtedly have REJECT packets. I enabled it on a VPC I barely use and had 100 events in a few minutes of rejected packets from port scanners and other attackers.

I really wish they would give us a way to get full packet capture from the entire VPC.

Simply add a span option, that we can send all traffic to a specific network interface (ENI). Or at the very least allow us to define custom routers (verses the VPC routes), where we could then capture/span/analyze/etc - this would provide us the means to analyze traffic from one VPC to another and inbound/outbound traffic.

Great timing, troubleshooting an issue that this will come in handy for. Thanks!

Thanks for the post Jeff! this is huge for us, we finally get a whole view of our networks in VPC.

You are welcome!

Add another one to the list of things my team didn't know about until a public launch..

you're not supposed to know about it until the public launch :) that was yesterday.

If you ask, you can request from your AWS account rep to sign an NDA, after which you can get insights into what features are upcoming.

I work at AWS. Stuff like this happens a lot, lots of redundant dev time..