I need to deploy some file integrity monitoring and intrusion detections software on AWS instances.

I really wanted to use OSSEC, however it does not work well in an environment where servers can auto deploy and shut down based on load, because it requires server managed keys to be generated. Including the agent in the AMI will not allow monitoring as soon as it comes up because of that.

There are many options out there, and several are listed in other posts on this site, however none that I've seen so far deal with the unique problems inherent in AWS or cloud based deployments in general.

Can anyone point me at some products, preferably open source, that we might use to cover those portions of PCI DSS that require this software?

Has anyone else achieved this on AWS?