Views:
The Cloud IPS architecture in AWS consists of:
  • Your VPC containing an Internet Gateway (IGW).
  • A Firewall Public Subnet with the AWS Network Firewall Endpoint, running TrendAI Vision One™ managed rule groups (Malware, Client CVE, Server CVE).
  • An Application Subnet (Private) hosting your workloads (e.g., EC2, EKS, ECS, Lambda).
The following sections describes different example scenarios of Cloud IPS protecting your environment using TrendAI Vision One™ managed rule groups.
Note
Note
These examples explain the concept of how Cloud IPS provides protection, but Cloud IPS rule groups can cover a broad number of potential use cases in your environment.

Malware protection - Outbound C2 blocking

Scenario: EC2 instance infected with malware attempts to communicate with command-and-control server.
Traffic Flow:
  1. Malware on EC2 instance (private subnet) attempts outbound connection.
  2. Traffic routes to AWS Network Firewall endpoint in firewall subnet.
  3. The TrendAI-MalwareBlockStrictOrder rule group inspects traffic.
  4. Malicious C2 traffic is blocked and logged.
  5. Legitimate traffic continues to NAT Gateway, then Internet Gateway.
Applies to: North-south and east-west traffic from EC2, ECS, EKS, Lambda, and other AWS services.

Server-side CVE protection - Inbound exploit blocking

Scenario: External attacker attempts to exploit server-side vulnerability in your application.
Traffic Flow:
  1. Bad actor sends exploit attempt from internet.
  2. Traffic enters through Internet Gateway.
  3. Routes to AWS Network Firewall endpoint.
  4. The TrendAI-CVEServerBlockStrictOrder rule group inspects traffic.
  5. Exploit attempt is blocked and logged.
  6. Legitimate traffic continues to Public ALB, then Application servers.
Applies to: North-south and east-west traffic to EC2, ECS, EKS, Lambda, and other application servers.

Client-side CVE protection - Bidirectional exploit blocking

Scenario: Compromised workload attempts to exploit external server.
Traffic Flow:
  1. EC2 instance in a private subnet initiates a legitimate outbound API request to an external service.
  2. Traffic is routed to the AWS Network Firewall endpoint via the subnet route table.
  3. The TrendAI-CVEClientBlockStrictOrder rule group inspects the bidirectional traffic, including server responses.
  4. A malicious response containing a client-side CVE exploit payload is blocked and logged.
  5. Legitimate traffic continues through the NAT Gateway, Internet Gateway, then External service.
Applies to: North-south and east-west traffic from EC2, ECS, EKS, Lambda, and other workloads.
Comments (0)