Deploying MISP to AWS: Updated 2025 Guide
It’s relatively easy to deploy a MISP instance to AWS for the purposes of your own testing and experimentation. We’ll cover how to do that here.However, when looking to deploy an AWS-hosted MISP instance for your organization’s SOC team there lots of important considerations to keep in mind. We’ll go over them in this guide.
Updated 10 June, 2025.
Can you deploy MISP to AWS?
Yes, you can absolutely deploy MISP to AWS. At Cosive, we use AWS to power our managed MISP platform, CloudMISP.
At minimum, MISP runs on Ubuntu Linux. For serious usage it requires a relational database and file storage for file attachments. These can be provisioned on AWS using services like EC2 (Ubuntu Linux instance), MariaDB (relational database) and EFS (file store).
You can deploy MISP on AWS using a traditional VM-based approach (e.g. EC2, RDS, EFS), or take a more contemporary approach using containers and orchestration platforms like ECS or EKS (Kubernetes). The right choice depends on your team’s skill set, compliance requirements, and preference for infrastructure-as-code versus manual configuration.
MISP is also available as a Docker image suitable for use with a container orchestration system like Kubernetes (check out our guide on deploying MISP on Kubernetes).
What should I consider when running a production MISP instance on AWS?
Although it’s relatively easy to get a test MISP instance up and running on an EC2 box, there are many more considerations that go into running a production MISP instance on AWS.
Often, MISP instances are used to store sensitive organisational data. Therefore, following best practices when setting up your MISP instance in the cloud is of the utmost importance.
1. Frequent MISP Upgrades
The MISP open source project employs a relatively aggressive release schedule, somewhere from 12-15 releases a year. These include security fixes, bug fixes, functional improvements, and feature additions.
While the MISP project always factors in backward compatibility for the large community using it, each new release potentially affects integration code relying on particular MISP behaviours.
When deploying MISP on AWS, you’ll need to develop a strategy for testing and applying new MISP releases. You may also want to configure a rollback strategy if any unexpected changes stem from the upgrade.
2. Network access control
You’ll likely want to restrict MISP web application server access on AWS to a nominated series of IP addresses or CIDR ranges. This allows for a range of on-premises and other cloud services (e.g. SaaS logging platforms, SIEMs) to gain network connectivity for integration with MISP.
3. Outbound HTTP request access
By necessity, MISP performs HTTP requests to fetch feeds, poll APIs, push to other MISP instances, and perform enrichments.
You will need to configure AWS to allow a set of outbound HTTP rules per your specifications. This may be as open or narrow as you wish, though we recommend being as specific as possible as an effective deny-by-default control.
4. Logging
From the ground up, all MISP and supplementary components provide logging and metrics streams. This provides metrics on performance, alert on application or component issues, and provide historical records of system activity for troubleshooting or incident response.
Logs can be written to AWS CloudWatch for log parsing, aggregation, analysis, and alerting. Please be mindful of the content of these logs and endeavour to make sure only operational information and not sensitive data are sent.
5. Backups and disaster recovery (DR)
MISP uses two main storage mechanisms for the data it holds: a relational database together with a filesystem for MISP file attachments.
You can use AWS RDS MariaDB for the relational database, and an EFS volume for file attachments. You should create backups using AWS Backup.
In the event a system restore is necessary, you will need to restore your MISP instance to the last backup.
6. Authentication and access management
Use AWS IAM roles and security groups to tightly control access to AWS infrastructure components. For MISP itself, consider integrating with enterprise authentication solutions (like Microsoft Entra ID or Okta) via SAML or LDAP. This avoids managing local user accounts and improves traceability of logins.
7. Encryption and certificate management
MISP should be run over HTTPS with a valid TLS certificate. On AWS, you can use ACM (AWS Certificate Manager) with Load Balancer integration, or manually install certificates using Let’s Encrypt. Also, ensure at-rest encryption is enabled for all storage: RDS, EFS, and any S3 buckets used for backups.
Securely deploying MISP on AWS can be a big undertaking.
We can handle deployment, monitoring and maintenance for you with CloudMISP, our managed MISP service.