Now security analysts are able to collect data fast and flexibly with a new feature. Traffic Mirroring in AWS has given an ability to transfer the traffic to a SIEM (like Splunk) and analyse it. This is targeted for cases when you need:
-to analyze the actual packets to perform a root-cause analysis on a performance issue,
-to reverse-engineer a sophisticated network attack
-to detect and stop insider abuse or compromised workloads.
Traffic Mirroring helps to filter users that display suspicious activities: try to access from outside, DDoS attack, scan or brute force directly in the AWS environment by optimizing time and reacting to threats faster.