Rule: VPC Flow Logs should be enabled
This rule ensures that VPC Flow Logs are properly enabled to enhance network security.
| Rule | VPC flow logs should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description:
Enabling VPC flow logs is a crucial step for implementing the NIST Cybersecurity Framework (CSF) v1 in your AWS Virtual Private Cloud (VPC) environment. VPC flow logs capture detailed information about network traffic within your VPC, providing valuable insights for monitoring and analyzing network activities. By enabling VPC flow logs, you are able to detect potential security threats, troubleshoot network issues, and meet compliance requirements.
Troubleshooting Steps (if applicable):
If you encounter any issues during the process of enabling VPC flow logs, you can follow these troubleshooting steps:
- 1.
Verify the IAM role permissions: Ensure that the IAM role used for flow logs has the necessary permissions, such as
andec2:CreateFlowLogs
, to create flow logs and log groups respectively.logs:CreateLogGroup - 2.
Confirm the correct VPC and subnet: Double-check if the VPC and subnet selected for flow log creation are correct. It is essential to choose the target VPC and subnet where you want to monitor network traffic.
Necessary Codes (if applicable):
Here are the necessary codes to enable VPC flow logs for NIST Cybersecurity Framework (CSF) v1:
- 1.
The following CLI command enables VPC flow logs for a specific VPC and subnet:
aws ec2 create-flow-logs --resource-ids <VPC_ID> --resource-type VPC --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name <LOG_GROUP_NAME> --deliver-logs-permission-arn <PERMISSION_ARN>Replace
with the actual ID of the VPC you want to enable flow logs for.<VPC_ID>
should be replaced with the desired name for the CloudWatch Logs group.<LOG_GROUP_NAME>
will be the ARN of the IAM role with appropriate permissions.<PERMISSION_ARN> - 2.
Alternatively, you can use the AWS Management Console or AWS SDKs to enable VPC flow logs.
Step-by-Step Guide for Remediation:
Follow these steps to enable VPC flow logs for NIST Cybersecurity Framework (CSF) v1:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon VPC service.
- 3.Select the VPC for which you want to enable flow logs.
- 4.Click on the "Flow Logs" tab in the VPC dashboard.
- 5.Click on the "Create Flow Log" button.
- 6.In the "Create Flow Log" dialog, select the desired VPC and subnet to monitor.
- 7.Choose the "All" traffic type option to capture all network traffic.
- 8.Specify the CloudWatch Logs group name for storing the flow logs.
- 9.Select the IAM role with the necessary permissions by providing the role's ARN.
- 10.Click on the "Create" button to enable VPC flow logs.
- 11.Wait for a few minutes for the flow logs to start capturing network traffic.
- 12.You can then access and analyze the flow logs from the specified CloudWatch Logs group.
By completing these steps, you have successfully enabled VPC flow logs for NIST Cybersecurity Framework (CSF) v1 in your AWS VPC environment. This will help you monitor network traffic and enhance your overall security posture.