Enable VPC Flow Logs Rule
This rule ensures VPC flow logs are enabled to enhance security and monitoring within the system.
| Rule | VPC flow logs should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule: VPC Flow Logs for NIST 800-171 Revision 2
Description:
Enabling VPC flow logs for NIST 800-171 Revision 2 is a security measure that helps organizations adhere to the security guidelines set by NIST (National Institute of Standards and Technology). VPC flow logs provide detailed information about the traffic flowing within your Virtual Private Cloud (VPC), including the source and destination IP addresses, ports, protocols, and packets. By enabling VPC flow logs, you can monitor network traffic, detect potential security issues, and meet the requirements of NIST 800-171 Revision 2.
Troubleshooting Steps:
If you encounter any issues while enabling VPC flow logs, follow these troubleshooting steps:
- 1.
Verify the appropriate IAM permissions: Ensure that you have the necessary permissions to enable VPC flow logs. You should have the
permission.ec2:CreateFlowLogs - 2.
Ensure the correct VPC: Confirm that you are trying to enable flow logs for the correct VPC. Use the VPC ID or VPC name to identify the correct VPC.
- 3.
Check network ACLs: Make sure that the network access control lists (ACLs) associated with your VPC allow the necessary ingress and egress traffic for flow logs. Check if there are any explicit deny rules in the network ACLs.
- 4.
Verify the flow log configuration: Double-check the flow log configuration for the chosen VPC. Ensure that you have specified the correct traffic filters and logging destination (Amazon S3 bucket or CloudWatch Logs group).
- 5.
Check for resource limits: If you have reached the resource limits for VPC flow logs, you may encounter issues enabling them. Ensure you haven't exceeded the limits imposed by AWS.
- 6.
Review CloudTrail logs: If you have enabled AWS CloudTrail, review the logs for any potential errors related to VPC flow logs. CloudTrail logs can provide insights into the steps performed and any issues encountered.
Necessary Codes:
The following code snippet can be used to enable VPC flow logs using AWS Command Line Interface (CLI):
aws ec2 create-flow-logs --resource-ids <VPC_ID> --traffic-type ALL --log-group-name <LOG_GROUP_NAME> --deliver-logs-permission-arn <LOGS_PERMISSION_ARN>
Step-by-Step Guide for Remediation:
Follow these steps to enable VPC flow logs for NIST 800-171 Revision 2 using the AWS Management Console:
- 1.Sign in to the AWS Management Console.
- 2.Open the Amazon VPC service.
- 3.From the sidebar, click on "Your VPCs."
- 4.Identify and select the VPC for which you want to enable flow logs.
- 5.From the "Actions" dropdown menu, choose "Create flow log."
- 6.Configure the following settings:
- For "Filter," select "All."
- For "Destination," choose either "CloudWatch Logs" or "S3 bucket." Provide the necessary details accordingly.
- For IAM role, select an existing IAM role that has permissions to publish logs to CloudWatch Logs or put objects in the S3 bucket.
- (Optional) Provide a "Log format" if required.
- 7.Click on "Create flow log."
- 8.Wait for the flow logs to be created. This process may take a few minutes.
- 9.Validate that the flow logs are enabled by checking the status of the flow log for the selected VPC. The status should be "Active".
- 10.Ensure that the VPC flow logs are being delivered correctly to the chosen destination (CloudWatch Logs or S3 bucket) and can be accessed for monitoring and analysis.
By following these steps, you can successfully enable VPC flow logs for NIST 800-171 Revision 2 and meet the necessary compliance requirements.