VPC flow logging should be enabled


AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC. Users can use the flow logs to detect anomalous traffic or gain insight during security workflows.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • Select the desired VPC and select the Flow Logs tab.

  • Click the Create flow log button.

  • From the Filter drop-down, select Reject.

  • Select Send to CloudWatch Logs.

  • In Destination log group, enter a name or select an existing log group.

  • For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.

  • Click Create.


  • To enable VPC flow logging:

    • aws ec2 create-flow-logs --resource-type VPC --resource-ids [resourceIDs] --traffic-type ALL --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws:iam::123456789101:role/publishFlowLogs


Example Configuration

resource "aws_vpc" "valid_vpc" {
  # other required fields here

resource "aws_flow_log" "test_flow_log" {
  vpc_id         = "${aws_vpc.valid_vpc.id}"
  # other required fields here