VPC flow logging should be enabled¶
Description¶
AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC. Users can use the flow logs to detect anomalous traffic or gain insight during security workflows.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
Select the desired VPC and select the Flow Logs tab.
Click the Create flow log button.
From the Filter drop-down, select Reject.
Select Send to CloudWatch Logs.
In Destination log group, enter a name or select an existing log group.
For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.
Click Create.
AWS CLI¶
To enable VPC flow logging:
aws ec2 create-flow-logs --resource-type VPC --resource-ids [resourceIDs] --traffic-type ALL --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws:iam::123456789101:role/publishFlowLogs
CloudFormation¶
JSON¶
Ensure that an AWS::EC2::Vpc is referenced in the ResourceId field of an AWS::EC2::FlowLog:
{
"Properties": {
"ResourceId": { "Ref": "ValidVpc" }
}
}
JSON Example Configuration¶
{
"ValidVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
# other required fields here
}
},
"ValidVpcFlowLog": {
"Type": "AWS::EC2::FlowLog",
"Properties": {
"ResourceId": { "Ref": "ValidVpc" }
# other required fields here
}
}
}
YAML¶
Ensure that an AWS::EC2::Vpc is referenced in the ResourceId field of an AWS::EC2::FlowLog:
Properties:
ResourceId: !Ref ValidVpc
YAML Example Configuration¶
ValidVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
# other required fields here
ValidVpcFlowLog:
Type: AWS::EC2::FlowLog
Properties:
ResourceId: !Ref ValidVpc
# other required fields here
Terraform¶
Ensure that the aws_vpc is referenced in an aws_flog_log
vpc_id
field.
Example Configuration¶
resource "aws_vpc" "valid_vpc" {
# other required fields here
}
resource "aws_flow_log" "test_flow_log" {
vpc_id = "${aws_vpc.valid_vpc.id}"
# other required fields here
}