Ensure VPC Flow Logging is Enabled in all Applicable Regions
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
Risk Level: Low
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.LOG.14
Category: Global
GSL LOGIC
Region where ( not vpcs isEmpty() ) should have hasVpcFLowLogging='true'
REMEDIATION
From Portal
- Log in to the AWS Management Console at [https://console.aws.amazon.com/]
- Select Services and open VPC dashboard.
- In the left navigation pane, select Your VPCs.
- Select a VPC and open Flow Logs tab In the right pane.
- If no Flow Log exists, click Create Flow Log.
- Set Filter to Reject.
- Enter a Role and Destination Log Group.
- Click Create Log Flow.
- Click CloudWatch Logs Group.
- Perform the above steps for all applicable regions.
From TF
resource "aws_flow_log" "example" {
iam_role_arn = "arn"
log_destination = "log"
traffic_type = "ALL"
+ vpc_id = vpc.id
}
resource "aws_vpc" "example_vpc" {
cidr_block = "IP_block"
}
References
- https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
- http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- https://registry.terraform.io/providers/hashicorp/aws/3.1.0/docs/resources/flow_log
Region
Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.
Compliance Frameworks
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
Updated over 1 year ago