Rule: VPC flow logs should be enabled
Ensure VPC flow logs are enabled to maintain high security standards.
| Rule | VPC flow logs should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description:
Enabling VPC flow logs for NIST Cybersecurity Framework (CSF) v1 is crucial for enhancing security and compliance within your AWS Virtual Private Cloud (VPC) infrastructure. VPC flow logs capture information about the IP traffic flow in and out of your VPC, including source and destination IP addresses, ports, protocols, and packet counts. By enabling VPC flow logs, you can gain valuable insight into network traffic patterns, monitor and troubleshoot network connectivity, and detect potentially malicious activity within your VPC.
Troubleshooting Steps:
If you encounter any issues while enabling VPC flow logs for NIST CSF v1, you can follow the below troubleshooting steps:
- 1.
Verify VPC Flow Logs Support: Ensure that flow logs are supported in the AWS Region where your VPC resides. You can refer to the AWS documentation to confirm the availability of VPC flow logs in your desired Region.
- 2.
Confirm IAM Permissions: Verify that your AWS Identity and Access Management (IAM) user or role has the necessary permissions to create and manage VPC flow logs. Specifically, ensure the user or role has the "ec2:CreateFlowLogs" and "ec2:DescribeFlowLogs" permissions.
- 3.
Check Log Destination Permissions: Make sure that the destination where you intend to store the VPC flow logs (such as Amazon S3 or CloudWatch Logs) has the appropriate permissions. If you encounter any issues writing to the destination, review the associated permissions and adjust them accordingly.
- 4.
Review VPC Subnet Associations: Double-check that the VPC subnet(s) you want to monitor with flow logs are correctly associated with the flow log configuration. If a subnet is not associated, the flow logs will not capture any traffic from that subnet.
- 5.
Validate VPC Flow Log Configuration: Review the flow log configuration settings to ensure they are aligned with your requirements. Confirm the chosen log format (e.g., AWS CloudWatch Logs, Amazon S3), log format options, and any additional flow log record fields that you want to include.
Necessary Code:
The following AWS CLI command demonstrates how to enable VPC flow logs for NIST CSF v1:
aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type ALL --log-group-name <log-group-name> --deliver-logs-permission-arn <permission-arn>
Make sure to replace
<vpc-id><log-group-name><permission-arn>Step-by-Step Guide for Remediation:
Here's a step-by-step guide to enable VPC flow logs for NIST CSF v1 using the AWS Management Console:
- 1.Log in to the AWS Management Console.
- 2.Go to the Amazon VPC service.
- 3.Select your desired VPC from the list.
- 4.Click on the "Flow Logs" tab in the VPC Dashboard.
- 5.Click on the "Create Flow Log" button.
- 6.Choose the VPC and the desired VPC subnets that you want to monitor with flow logs.
- 7.Choose the desired destination for your flow logs, such as Amazon S3 or CloudWatch Logs.
- 8.Configure any additional settings based on your requirements, such as log format, log format options, and flow log record fields.
- 9.Click on the "Create" button to enable VPC flow logs.
Ensure to validate the successful creation of VPC flow logs and monitor the logs according to your needs to enhance security and compliance within your VPC infrastructure.