AWS Deploy: Overview

Document created by RSA Information Design and Development Employee on Feb 6, 2018Last modified by RSA Product Team on May 13, 2020
Version 15Show Document
  • View in full screen mode

Before you can deploy RSA NetWitness Platform in the Amazon Web Services (AWS) you need to:

  • Understand the requirements of your enterprise.
  • Know the scope of a NetWitness Platform deployment.

When you are ready to begin deployment:

  • Make sure that you have a NetWitness Platform "Throughput" license.
  • For packet capture in AWS, you can purchase either of the following Third-Party solutions. If you engage one of these third-parties, they will assign an account representative and a professional services engineer to you who will work closely with RSA Support.

AWS Environment Recommendations

AWS instances have the same functionality as the NetWitness Platform hardware hosts. RSA recommends that you perform the following tasks when you set up your AWS environment.

  • Based on the resource requirements of the different components, follow the best practices to use the system and the dedicated storage Elastic Block Store (EBS) Volumes appropriately.
  • Make sure that the compute capacity provides a write speed of 10% greater than the required sustained capture and ingest rate for the deployment.
  • Build Concentrator directory for index database on the Provisioned IOPS SSD.

Abbreviations and Other Terminology Used in this Guide

AMIAmazon Machine Image
AWSAmazon Web Services


Bring your own licensing

CPUCentral Processing Unit
AWS Dedicated Instances run in a VPC on hardware that is dedicated to a single customer. Dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts. Dedicated instances may share hardware with other instances from the same AWS account that are not Dedicated instances. For more information on the dedicated instances, see AWS "Amazon EC2 Dedicated Instance" documentation ( .
An Amazon EBS–optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for Amazon EBS I/O. This optimization provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance. For more information on EBS-optimized instances, see the AWS "Amazon EBS–Optimized Instances" documentation (
EBS VolumeElastic Block Store (EBS) volume is a highly available and reliable storage volume that you can attach to any running instance that is in the same Availability Zone. For more information on EBS Volumes, see the AWS "Amazon EBS Volumes" documentation ( .
EC2 instanceVirtual server in AWS Elastic Compute Cloud (EC2) for running applications on the AWS infrastructure. Also, for more information, see Instance.
Networking Enabled

Enhanced networking provides higher bandwidth, higher packet-per-second performance, and consistently lower inter-instance latencies.

If your packets-per-second rate appears to have reached its threshold, you must consider moving to enhanced networking because you may have reached the upper thresholds of the virtual machine network interface (VIF) driver.

For more information on enhanced networking, see AWS "How do I enable and configure enhanced networking on my EC2 instances" documentation (

EPSEvents Per Second
GBGigabyte. 1GB = 1,000,000,000 bytes
GbGigbit. 1Gb = 1,000,000,000 bits.
GbpsGigabits per second or billions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
GHzGigaHertz 1 GHz = 1,000,000,000 Hz
HDDHard Disk Drive
InstanceA virtual host in the AWS (that is, virtual machine or server in the AWS infrastructure on which you run services or applications). See also EC2 Instance.
Instance TypeSpecifies the required CPU and RAM for an instance. For more information on the instance types, see the AWS "Amazon EC2 Instance Types" documentation (
IOPSInput/Output Operations Per Second
MbpsMegabits per second or millions of bits per second. It measures bandwidth on a digital data transmission medium such as optical fiber.
On-PremiseOn-premise hosts are installed and run on computers on the premises (in the building) of the organization using the hosts, rather than in the AWS.
PPSPackets Per Second
RAMRandom Access Memory (also known as memory)
Security GroupSet of firewall rules. For more information and a comprehensive list of the ports you must set up for all NetWitness Platform components, see the "Network Architecture and Ports" documentation on RSA Link ( .
SSDSolid-State Drive
TagA meaningful identifier for AWS instance.
Tap VendorNetwork Tapping Vendor
vCPUVirtual Central Processing Unit (also known as a virtual processor)
VMVirtual Machine
VPCVirtual Public Cloud
vRAMVirtual Random Access Memory (also known as virtual memory)

AWS Deployment Scenarios

The following diagrams illustrate some common AWS deployment scenarios. In the diagrams, the:

  • GigaVUE Series (Gigamon Solution) is an agent-based solution that uses Tunneling (implemented by the NetWitness Platform administrator) to facilitate packet data capture in AWS.
  • CloudLens (Ixia Solution) is an agent-based solution that uses Ixia clients and the CloudLens Docker installed on the Packet Decoder to facilitate packet data capture in AWS.
  • BIG-IP (f5 Solution) is a load balancing solution that uses a Packet Decoder acting as a sniffer (customized by the NetWitness Platform administrator) to facilitate packet capture in AWS.

  • VPC Traffic Mirroring is a cloud-based solution that uses the existing VPC's implementation to capture and inspect network traffic.
  • Decoder collects packet data. The Decoder captures, parses, and reconstructs all network traffic from Layers 2 – 7.
  • Log Decoder collects logs. The Log Decoder collects log events from hundreds of devices and event sources.
  • Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while facilitating reporting and alerting.

  • Endpoint Log Hybrid - collects endpoint data. The Endpoint Log Hybrid comprises of Endpoint Server, Log Decoder, and Concentrator. Log Decoder captures data from the Endpoint Server and processes the metadata. For more information, see NetWitness Endpoint Configuration Guide.
  • NetWitness Server hosts Respond, Reporting, Investigate, Live Content Management, Administration and other aspects of the user interface.

Full NetWitness Platform Stack VPC Visibility

This diagram shows all NetWitness Platform components (full stack) deployed in AWS.

Detailed Full Stack AWS Deployment Diagram

Note: You can add multiple Endpoint Log Hybrids. For a consolidated view of the endpoint data on multiple Endpoint Log Hybrids you must install an Endpoint Broker.

Hybrid Deployment - Decoder and Log Decoder

This diagram shows the Decoder, and Log Decoder deployed in AWS with all other NetWitness Platform components deployed on your premises.

Detailed Hybrid Stack AWS Deployment Diagram

Hybrid Deployment - Decoder, Log Decoder, and Concentrator

This diagram shows the Decoder, Log Decoder, and the Concentrator deployed in AWS with all other NetWitness Platform components deployed on your premises.

Detailed Hybrid Deployment of components


You need the following items before you begin the integration process:

  • Ixia account (
  • Access to AWS console
  • Network rout-able (and proper AWS Security Groups) for the containers to transfer data to the NetWitness Platform Decoder.

Supported Services

RSA provides the following NetWitness Platform services.

  • NetWitness Server
  • Admin Server
  • Archiver
  • Broker
  • Concentrator
  • Config Server
  • Event Stream Analysis
  • Investigate Server
  • Orchestration Server
  • Reporting Engine
  • Respond Server
  • Security Server
  • Log Decoder
  • Decoder
  • Remote Log Collector
  • Endpoint Server
  • User and Entity Behavior Analytics (UEBA)


Next Topic:AWS Deployment
You are here

Table of Contents > AWS Deployment Overview