Ensure VPC Flow Logs are Enabled Rule
This rule ensures that VPC flow logs are enabled to enhance visibility and security.
| Rule | VPC flow logs should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule: VPC Flow Logs should be enabled for NIST 800-53 Rev. 5
Description:
VPC Flow Logs are a feature provided by AWS that capture information about the IP traffic going to and from network interfaces in your Virtual Private Cloud (VPC). Enabling VPC Flow Logs is essential to meet the security requirements outlined in the NIST 800-53 Revision 5 guidelines. By enabling the VPC Flow Logs, you can collect and analyze network flow data, allowing you to monitor and analyze network traffic for security and operational purposes.
Troubleshooting:
Issue 1: VPC Flow Logs are not enabled.
Remediation:
- 1.Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- 2.On the navigation pane, choose "Your VPCs".
- 3.Select the desired VPC for which you want to enable Flow Logs.
- 4.Choose the "Actions" dropdown menu, and then "Create Flow Log".
- 5.Configure the following settings:
- Set a unique name for the Flow Log.
- Choose the appropriate filter for the traffic that you want to capture (e.g., "All traffic", "Accepted traffic only").
- Select the target destination for the log data (e.g., CloudWatch Logs, Amazon S3).
- Optionally, specify the IAM role to be used for publishing logs to a destination.
- 6.Choose "Create" to enable the Flow Log.
Issue 2: VPC Flow Logs are not capturing all required traffic.
Remediation:
- 1.Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- 2.On the navigation pane, choose "Your VPCs".
- 3.Select the desired VPC with Flow Logs enabled.
- 4.Choose the "Flow Logs" tab.
- 5.Select the Flow Log for which you want to modify the traffic filter.
- 6.Choose "Edit".
- 7.Modify the filter settings as required to capture the necessary traffic.
- 8.Choose "Save" to apply the changes.
Additional Notes:
- Remember to assign an IAM role with appropriate permissions to the VPC Flow Logs to publish logs to a destination like CloudWatch Logs or Amazon S3.
- Ensure that your VPC's internet gateway, NAT gateway, or VPC peering connections are appropriately configured to capture all required network traffic.
Example CLI Commands:
- To enable VPC Flow Logs using the AWS CLI, run the following command:
aws ec2 create-flow-logs --resource-ids <vpc-id> --traffic-type all --log-destination-type <destination-type> --log-destination <destination>
- To modify the filter settings of an existing Flow Log, use the following command:
aws ec2 modify-flow-log --flow-log-id <flow-log-id> --traffic-type <traffic-type> --log-destination-type <destination-type> --log-destination <destination>