VPC flow logging should be enabled

Description

AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC. Users can use the flow logs to detect anomalous traffic or gain insight during security workflows.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • Select the desired VPC and select the Flow Logs tab.

  • Click the Create flow log button.

  • From the Filter drop-down, select Reject.

  • Select Send to CloudWatch Logs.

  • In Destination log group, enter a name or select an existing log group.

  • For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.

  • Click Create.

AWS CLI

  • To enable VPC flow logging:

    • aws ec2 create-flow-logs --resource-type VPC --resource-ids [resourceIDs] --traffic-type ALL --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws:iam::123456789101:role/publishFlowLogs

CloudFormation

JSON

{
  "Properties": {
    "ResourceId": { "Ref": "ValidVpc" }
  }
}
JSON Example Configuration
{
  "ValidVpc": {
    "Type": "AWS::EC2::VPC",
    "Properties": {
      "CidrBlock": "10.0.0.0/16"
    # other required fields here
    }
  },
  "ValidVpcFlowLog": {
    "Type": "AWS::EC2::FlowLog",
    "Properties": {
      "ResourceId": { "Ref": "ValidVpc" }
    # other required fields here
    }
  }
}

YAML

Properties:
  ResourceId: !Ref ValidVpc
YAML Example Configuration
ValidVpc:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: '10.0.0.0/16'
# other required fields here

ValidVpcFlowLog:
  Type: AWS::EC2::FlowLog
  Properties:
    ResourceId: !Ref ValidVpc
# other required fields here

Terraform

Example Configuration

resource "aws_vpc" "valid_vpc" {
  # other required fields here
}

resource "aws_flow_log" "test_flow_log" {
  vpc_id         = "${aws_vpc.valid_vpc.id}"
  # other required fields here
}