CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured


CloudWatch metric filters and alarms should be configured to alert users to rejected connections in VPC flow logs so users can investigate anomalous traffic.

Console Remediation Steps

  • Navigate to VPC.

  • Click VPCs and select the desired VPC.

  • From the Actions drop-down, select Create flow log.

  • In the Filter drop-down, select Reject.

  • In Destination, select Send to CloudWatch Logs.

  • In Destination log group, enter a new for the log group in CloudWatch Logs to which the flow logs are to be published.

  • In IAM role, select the name of the IAM role that has permissions to publish logs to CloudWatch Logs.

  • Click Create.

  • Navigate to CloudWatch.

  • Click Logs.

  • In the navigation pane, choose Logs, select the flow log group for your flow log, and then choose Create Metric Filter.

  • In Filter Pattern, type REJECT with no quotes.

  • Click Assign Metric.

  • Provide a Metric Name and click Create Filter.

  • Navigate to CloudWatch.

  • Click Logs.

  • On the line of the log group you created the filter on, click the filter link in the Metric Filters column.

  • Click Create Alarm, give it a name, choose an SNS Topic to send the alert to, and then click Create Alarm again.

CLI Remediation Steps

  • Create the flow log for the VPC:

    • aws ec2 create-flow-logs --resource-type <value> --resource-ids <vpc id> --traffic-type REJECT --log-group-name <name> --deliver-logs-permission-arn <role arn>

  • Create the metric filter for the VPC flow logs:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern 'REJECT' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm for the VPC flow logs:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>