Intrusion Detection and Prevention on Amazon Web Services

In this course, we will discuss the fundamentals of intrusion detection and prevention on Amazon Web Services. We will explore the difference between IDS and IPS, and the difference between host-based intrusion prevention, and network-based Intrusion prevention. We’ll also discuss the various AWS architectures, how do you place an IPS, how do you write rules, how do you respond to the incidents that have been detected, and finally the partner solutions available for intrusion prevention with Amazon web services.

Intended audience

  • This course is for developers or operations engineers looking to deploy security solutions applications in production AWS platform
  • People studying for the AWS Security Specialty Certification exam


  • Implementation experience with enterprise security packages
  • Familiarity with industry compliance and security standards including PCI DSS, ISO 27001, HIPAA, and NIST
  • Experience of architectures meeting industry standards such as SAS70, SOC1, FISMA, etc.
  • Fundamental understanding of TCP/IP protocols and packet analysis

Learning objectives

  • Recognize and explain the basics of Intrusion detection/prevention
  • Recognize and explain best practices in designing intrusion detection/prevention architecture
  • Recognize and explain the different types of rules that can be written
  • Recognize and explain core concepts of Incident response
  • Recognize and be able to implement how to go about writing rules
  • Gain an introduction to the various partner solutions available for IDS/IPS on AWS

This Course Includes

35 minutes of high-definition video.

What You'll Learn

  • Course Intro: What to expect from this course:
  • Fundamentals of Intrusion Detection and Preventions: In this lesson, we’ll define intrusion detection, and discuss AWS responsibility for security in the cloud, firewalls, and alerts.
  • IDS/IPS in Detail: In this lesson, we’ll dig deeper into the system architecture associated with IDS/IPS.
  • Rule Writing: In this lesson, we’ll go through rule options.
  • Responding to Incidents: In this lesson, we’ll look at how incidents are detected and the process for responding to them.
  • Architecting IDS/IPS for AWS: In this lesson, we’ll look at the various flavors of AWS architectures available and how we will architect the location and the placement of IDS and IPS devices in these architectures.
  • Administering and Managing the IDS/IPS: In this lesson, we’ll spend some time talking about some best practices in administering and managing your IDS and IPS.
  • Partner Solutions: In this lesson, we’ll look at the partners who offer IPS.
  • Conclusion: A summary and review of what you have learned.

Hello and welcome to the Intrusion Detection and Prevention course for AWS. The topics of discussion are what is the difference between IDS and IPS? Also, what is the difference between host based intrusion prevention and network based intrusion prevention? Given the various AWS architectures, how do you place an IPS? How do you write rules and how do you respond to the incidents that have been detected? And finally, the partner solutions available for intrusion prevention with Amazon Web Services.

Who should attend this course? This course is targeted at Cloud security specialists, Cloud architects, and security incident responders, typically, in an AWS environment. This is a pretty basic course and it's targeted at developers or operations engineers looking to deploy security solutions. Two plus years of experience in IT security, compliance, and risk management is definitely helpful, so as to get a good understanding of the fundamentals of why a particular intrusion prevention device is placed in a particular place in the architecture.

Networking fundamentals are a must, especially for rule writing. Packet analysis also helps us in better understanding incidents. Understanding of different AWS architectures is particularly useful because I will be talking about the placement of intrusion prevention devices in these different types of AWS architectures. What you will gain from this course. You will be able to distinguish between intrusion prevention and intrusion detection and have an idea of knowing when to use which. You will be able to distinguish between host based and network based IPS and IDS. You will have a basic understanding of rule writing.

Because most products today come with about 90% of the rules already pre-written. So, all you will be required to do is to have a knowledge of add new rules to kind of customize the IDS or the IPS to your environment, or take an existing rule and customize it to your environment. You will have a basic understanding of how to respond to incidents that have been detected by your IDS or IPS. The meat of this course will focus on the different AWS architectures available and how the placement of the IPS and the IDS devices will vary with each one of these flavors. At the end of it, you will have a basic and fundamental understanding of how to place the IPS and IDS given any non-complex network architecture. We will also focus on the partner solutions available for IDS and IPS on AWS.

A little about myself, my name is Vish Chidambaram. I'm an enterprise security architect and a trainer. I have about 12 plus years of experience in the security industry and about 20 plus years of experience designing enterprise architectures. I've shared my LinkedIn page and if you are interested in contacting me, either to give me feedback, or to have me conduct any customized courses for yourself or for your organization, I can be reached at

About the Author

Vish Chidambaram is an award-winning enterprise security leader with 18+ years of experience, skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace. Here he was responsible for securing a high performance SaaS platform with 40 billion transactions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools. He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them through career transitions. Details can be found at or get in touch by writing to His LinkedIn page can be found at: