Ensure VPC Flow Logging Rule
Check compliance for enabling VPC flow logging in all VPCs.
| Rule | Ensure VPC flow logging is enabled in all VPCs |
| Framework | cis_v130 |
| Severity | ✔ Medium |
Ensure VPC Flow Logging is Enabled in All VPCs
VPC Flow Logging is an important feature within AWS, providing the ability to capture information about the IP traffic going to and from network interfaces in your VPC. Enabling this feature assists in the diagnosis of connectivity and security issues, and it is a recommendation from the Center for Internet Security (CIS) AWS Foundations Benchmark (cis_v130).
Understanding VPC Flow Logging
VPC Flow Logging captures network flow logs that can be used for:
- Network monitoring
- Forensics
- Real-time security analysis
- Compliance
Flow logs can be published to Amazon CloudWatch Logs or Amazon S3 where they can be retrieved and analyzed.
How to Enable VPC Flow Logging
Step 1: Verify Existing Flow Logs
Before enabling VPC Flow Logging, you should check whether flow logs are already enabled for your VPCs.
aws ec2 describe-flow-logs --filter "Name=resource-id,Values=vpc-xxxxxxx"
Replace
vpc-xxxxxxxStep 2: Create a Flow Log
If flow logs are not enabled, you need to create them.
To CloudWatch Logs
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-xxxxxxx --traffic-type ALL --log-group-name YourLogGroupName --deliver-logs-permission-arn arn:aws:iam::123456789012:role/publishFlowLogs
- Replace
with your VPC ID.vpc-xxxxxxx - Set
to the name of your CloudWatch Logs log group.YourLogGroupName - Replace the
role ARN with the correct ARN for your IAM role that has the necessary permissions.publishFlowLogs
To Amazon S3
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-xxxxxxx --traffic-type ALL --deliver-logs-permission-arn arn:aws:iam::123456789012:role/publishFlowLogs --log-destination-type s3 --log-destination arn:aws:s3:::your-s3-bucket-name/prefix
- Replace
with your VPC ID.vpc-xxxxxxx - Replace
with the ARN of your S3 bucket.your-s3-bucket-name/prefix
Step 3: Set Up Permissions
Ensure that the IAM role that you are using to publish flow logs has the necessary permissions. This role should have a policy attached, which allows it to create and manage logs.
Step 4: Confirm Flow Log Creation
You can verify that the flow log has been successfully created and is in the "ACTIVE" state:
aws ec2 describe-flow-logs --flow-log-ids fl-xxxxxxxx
Replace
fl-xxxxxxxxTroubleshooting
If Flow Logs Are Not Showing Data
- Verify that the IAM role has the correct permissions.
- Check the filter settings and ensure that the assigned role is correct.
- Confirm that the log group in CloudWatch Logs or the S3 bucket exists and that the AWS region is correct.
If Unable to Create Flow Logs
- Confirm that you have the necessary permissions to create flow logs.
- Verify that the ARN for the log destination and IAM role are correct.
Automated Compliance Check
For an automated check, you can use AWS Config to ensure that VPC flow logs are enabled for all VPCs.
Using AWS Config, you can create a rule that checks for the compliance of your VPCs with regards to flow log activation.
This step-by-step approach ensures the correct implementation of AWS VPC Flow Logs and adherence to the CIS AWS Foundations Benchmark. By maintaining VPC Flow Logging, you not only boost your AWS environment's security posture but also align with best practices that can significantly improve incident responses and compliance auditing.