VPC flow logs should be sent to CloudWatch logs

Description

When users enable AWS VPC Flow Logs and publish the flow log data to AWS CloudWatch Logs, they can retrieve and view the information about the IP traffic going to and from network interfaces in their VPC. The IP traffic history captured enables security analysis, resource change tracking, and compliance auditing.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select VPCs.

  • Select the desired VPC(s) and select Actions > Create flow log.

  • For Filter, specify the type of IP traffic data to log. Choose All to log accepted and rejected traffic, Rejected to record only rejected traffic, or Accepted to record only accepted traffic.

  • For Destination, choose Send to CloudWatch Logs.

  • For Destination log group, type the name of a log group in CloudWatch Logs to which the flow logs are to be published. If you specify the name of a log group that does not exist, AWS attempts to create the log group for you.

  • For IAM role, specify the name of the IAM role that has permissions to publish logs to CloudWatch Logs.

  • Click Create.

CLI Remediation Steps

  • Select a Cloudwatch Log Group for VPC Flow Logs or create one if necessary:

    • aws logs create-log-group --log-group-name <name>

  • Select an IAM role for publishing to Cloudwatch Logs or create one if necessary:

    • aws iam create-role --role-name <name> --assume-role-policy-document '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Principal":{"Service":"vpc-flow-logs.amazonaws.com"},"Action":"sts:AssumeRole"}}'

    • aws iam create-policy --policy-name <name> --policy-document '{"Version":"2012-10-17","Statement":[{"Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:DescribeLogGroups","logs:DescribeLogStreams","logs:PutLogEvents"],"Effect":"Allow","Resource":"<log-group-arn>"}]}'

    • aws iam attach-role-policy --role-name <name> --policy-arn "<policy-arn>"

  • Forward VPC Flow Logs to Cloudwatch Logs:

    • aws ec2 create-flow-logs --resource-ids <vpc-id> --resource-type VPC --traffic-type ALL --log-destination-type cloud-watch-logs --deliver-logs-permission-arn "<role-arn>" --log-destination "<log-group-arn>"