Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure VPC Flow Logging Rule

This rule focuses on enabling VPC flow logging in all VPCs to enhance security measures.

RuleEnsure VPC flow logging is enabled in all VPCs
Frameworkcis_v150
Severity
High

Rule Description:

The rule "cis_v150" requires enabling VPC flow logging for all VPCs in order to enhance security monitoring and compliance within an Amazon Web Services (AWS) infrastructure. VPC flow logging captures network traffic metadata, allowing visibility into communication patterns and potential security threats.

Troubleshooting Steps:

If VPC flow logging is not enabled for a VPC, follow these troubleshooting steps:

  2. 1.

    Check if the VPC Flow Logs feature is supported in your AWS region. Not all AWS regions support VPC Flow Logs. Refer to AWS documentation to confirm availability in your region.

  4. 2.

    Verify that the VPC has a flow log configuration. Flow log configurations define the settings for capturing and storing flow log data. To check the configuration, navigate to the VPC management console, select the desired VPC, and verify if a flow log is associated. If not, proceed to the remediation steps.

  6. 3.

    Check if the VPC has the necessary IAM permissions for creating and writing logs to Amazon CloudWatch Logs. Ensure that the appropriate IAM policy has been attached to the IAM role associated with the VPC. If required permissions are missing, modify the role or create a new one with the necessary permissions.

  8. 4.

    Ensure that the subnet(s) associated with the VPC have an active flow log. Flow logs can be configured at the subnet level as well. Check the subnet configuration to confirm if the flow log is enabled. If not, proceed with the required steps to enable flow log configuration.

Remediation Steps:

To enable VPC flow logging for all VPCs, follow these steps:

  2. 1.

    Open the AWS Management Console and navigate to the Amazon VPC service.

  4. 2.

    Select each VPC that does not have flow logs enabled.

  6. 3.

    Click on the "Actions" button and select "Create Flow Log" from the dropdown menu.

  8. 4.

    Configure the flow log settings:

    • Set a unique name for the flow log.
    • Choose the appropriate IAM role with necessary permissions to create and write logs to Amazon CloudWatch Logs.
    • Select the desired traffic type to log (e.g., ACCEPT, REJECT, ALL).
    • Specify the Amazon CloudWatch Logs group and stream names. If they don't exist, create them by clicking the "Create new CloudWatch Logs group/stream" option.
    • Select the log format (e.g., JSON, AWS VPC Flow Log format).
  10. 5.

    Click on "Create Flow Log" to enable flow logs for the selected VPC.

  12. 6.

    Repeat the above steps to enable flow logs for all VPCs that do not have it enabled.

Additional Notes:

  • Enabling VPC flow logs generates additional data, which may incur costs for Amazon CloudWatch Logs storage and data transfer.
  • Ensure that appropriate storage and retention settings are configured for the flow logs to comply with your organization's security and compliance requirements.
  • Regularly review and analyze the flow log data to identify any potential security issues or anomalies. Utilize AWS services like CloudWatch, AWS Lambda, or other security analysis tools for deeper insights.

Manual Script:

If you prefer using AWS CLI commands, follow the steps below:

  2. 1.
    List all VPCs without flow logs using the AWS CLI command:
aws ec2 describe-vpcs --query "Vpcs[?not_null(FlowLogs[].FlowLogId)] | [?not_null(FlowLogs[].FlowLogId == '')].{VpcId:VpcId}"
  2. 1.
    For each VPC ID returned from the above command, create the flow log using the following AWS CLI command:
aws ec2 create-flow-logs --resource-ids VPC_ID --resource-type VPC --traffic-type ALL --log-destination-type cloud-watch-logs --log-destination ARN --log-group-name LOG_GROUP_NAME --log-stream-name LOG_STREAM_NAME

Replace:

  • VPC_ID
    with the actual VPC ID.
  • ARN
    with the ARN of the IAM role permitting flow log creation and writing to Amazon CloudWatch Logs.
  • LOG_GROUP_NAME
    with the desired name for your CloudWatch Logs group.
  • LOG_STREAM_NAME
    with the desired name for your CloudWatch Logs stream.
  2. 1.
    Repeat the above command for each VPC ID without flow logs.

Note: Ensure that the AWS CLI is configured with necessary permissions and credentials to perform the above commands.

Is your System Free of Underlying Vulnerabilities?
Find Out Now