I've set up Suricata (similar to snort in many ways) on AWS, and it was a pretty horrible process.
Basically what you need to do is set up VPC-Mirroring on every single interface in that VPC and send all the traffic to an endpoint attached to your snort server.
It's a ton of work, and is quite expensive, since you're paying per interface + per traffic.
A better way to handle it (imo) is to just enable VPC flow logging and pull the cloudwatch stream into your SIEM. Suricata/snort isn't that useful for threat detection anymore (thanks to HTTPS), so the important data to capture is just firewall logs.
You can still have suricata/snort, but you have to be more selective with it.
I'd say just spin up a SecurityOnion stack. It's essentially a "SOC-in-a-box". I had a proof of concept machine spun up and generating alerts off of replayed PCAPs in a day.
AWS is a totally different beast and you'll have other useful tools in the stack there. Cloud trail, guard duty, VPCs, proper least privilege and IAM rules, etc. What are you looking for in a snort alternative? It is the open source standard; though you might also look at suricata. Perhaps a whole security stack like security onion which incorporates snort and a lot of other tools. Might be overkill for what you want though.
Basically what you need to do is set up VPC-Mirroring on every single interface in that VPC and send all the traffic to an endpoint attached to your snort server.
https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-tra...
It's a ton of work, and is quite expensive, since you're paying per interface + per traffic.
A better way to handle it (imo) is to just enable VPC flow logging and pull the cloudwatch stream into your SIEM. Suricata/snort isn't that useful for threat detection anymore (thanks to HTTPS), so the important data to capture is just firewall logs.
You can still have suricata/snort, but you have to be more selective with it.