ROB FREW
Back to Work

Fangorn Coral Collector Deployment

Deployed security log collectors on 350,000+ hosts across all AWS regions, achieving 97% security coverage with <1% CPU impact.

Amazon
Platform Engineering
Fangorn Coral Collector Deployment
350K+ hosts deployed
97% AWS coverage
<1% CPU impact
300+ services coordinated

The Challenge

Amazon Security's Fangorn program needed to deploy coral collectors on hosts across AWS to send security logs into Basin for threat detection and security analytics. However, service owners were extremely concerned about performance impact on production systems. The challenge was achieving comprehensive security coverage—97%+ of AWS traffic—without degrading host performance, particularly for AWS's largest services and highest-risk data intersection points like Route 53, S3, and DynamoDB.

My Approach

Developed criteria for identifying in-scope services based on data sensitivity, risk reduction potential, and customer impact, identifying 300+ services with focus on critical data intersection points. Designed and executed comprehensive performance testing monitoring CPU usage (typically <1% utilization) and memory usage, identifying and mitigating risk of log backlog in host memory if downstream services became unavailable. Overcame major pushback from service owners by presenting extensive test data proving collectors would never affect hosts, showing multiple sources of host performance data under load. Partnered with CloudWatch team to establish monitoring and validation framework.

Key Deliverables

Identified and prioritized 300+ in-scope services based on risk criteria

Executed comprehensive performance testing proving <1% CPU impact

Negotiated deployment approval with skeptical service owners through data-driven approach

Partnered with CloudWatch to establish monitoring framework

Created reusable pattern for deploying security instrumentation on production systems

Technologies & Tools

AWSSecurity CollectorsPerformance TestingCloudWatchDistributed Systems

Related Projects

AmazonPlatform Engineering

Basin: Amazon Security's Data Lake

Platform processing 9PB daily from 350,000+ sources supporting ML workloads and security analytics across AWS.

AmazonPlatform Engineering

AIP: Alias Investigation Platform

Built centralized IP investigation and insider risk platform serving 400+ weekly investigators tracking 1M+ employee aliases with EU privacy compliance.

Want to discuss this project?

I'd love to share more details about my approach and results.

Get in Touch