AWS VPC Flow Logging Enabled
Last updated
Last updated
This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled.
Flow logs provide layer 3 network traffic telemetry to-and-from any resource within a VPC. This is considered a security best practice as it allows for the monitoring and detection of potentially malicious traffic.
Flow logs can be configured either on a single network interface, a subnet, or an entire VPC. Filters can also be used to limit the logs based on attributes, which in a busy production network is often necessary. Logs can be stored in either CloudWatch Logs or S3.
Remediation
Enable Flow Logging for the VPC failing this policy.
Enabling flow logging will generate additional CloudWatch events, which have an associated cost. There will be no impact to VPC usability or performance.
References
CIS AWS Benchmark 2.9: "Ensure VPC flow logging is enabled in all VPCs"
Risk
Remediation Effort
Medium
Low
Using the AWS Console
1. Navigate to the "Your VPCs" tab on the VPC Dashboard.
2. Select the VPC where flow logging is not enabled.
3. Select the Flow Logs tab.
4. Select the "Create flow log" button.
5. Set the filter to "Accept", "Reject", or "All" depending on the level of logging desired.
6. Set the destination log group to "default-vpc-flow-logs".
7. Select the IAM role to use for publishing flow logs (or create one with the Set Up Permissions link on the bottom).
6. Select the "Create" button.
Using the AWS CLI
1. To deliver Flow Logs to a CloudWatch Log Group, run the following command:
`aws ec2 create-flow-logs --traffic-type <ACCEPT
REJECT
ALL> --resource-type VPC --resource-ids --log-destination-type cloud-watch-logs --log-group-name "default-vpc-flow-logs" --deliver-logs-permission-arn `
2. Alternatively, to deliver Flow Logs to an S3 bucket, run the following command:
`aws ec2 create-flow-logs --traffic-type <ACCEPT
REJECT
ALL> --resource-type VPC --resource-ids --log-destination-type s3 --log-destination `
Aspect
Impact
AWS Cost
Dependent on scope, see the AWS documentation for details
VPC Performance
None
VPC Usability
None