Ensure VPC flow logging is enabled in all VPCs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

Risk Level: Low
Cloud Entity: Amazon VPC
CloudGuard Rule ID: D9.AWS.LOG.22
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VPC should have hasFlowLogs=true

REMEDIATION

From Portal
Perform the following to determine if VPC Flow logs is enabled.

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Select Services and open VPC dashboard.
  3. In the left navigation pane, select Your VPCs.
  4. Select a VPC and open Flow Logs tab In the right pane.
  5. If no Flow Log exists, click Create Flow Log.
  6. Set Filter to Reject.
  7. Enter a Role and Destination Log Group.
  8. Click Create Log Flow.
  9. Click CloudWatch Logs Group.

From TF

resource "aws_vpc" "main" {
	cidr_block = "10.0.0.0/16"
}

+ resource "aws_flow_log" "example" {
	+    iam_role_arn    = aws_iam_role.example.arn
	+    log_destination = aws_cloudwatch_log_group.example.arn
	+    traffic_type    = "ALL"
	+    vpc_id          = aws_vpc.example.id # *** can't be same VPC ***
+  }

+ resource "aws_flow_log" "example2" {
	+   iam_role_arn    = aws_iam_role.example.arn
	+   log_destination = aws_cloudwatch_log_group.example.arn
	+   traffic_type    = "ALL"
	+   vpc_id          = aws_vpc.example.id
+ }

References

  1. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
  2. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  3. https://registry.terraform.io/providers/hashicorp/aws/3.1.0/docs/resources/flow_log
  4. https://workbench.cisecurity.org/benchmarks/679

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset