Profile Applicability: Level 2


Description:

VPC flow logs as a feature that permits you to record information about the IP traffic going to and from the network interface in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

Rationale:

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

Impact:

Once enabled, the Flow Logs feature will start collecting network traffic data to and from your Virtual Private Cloud (VPC), data that can be useful to detect and troubleshoot security issues and make sure that the network access rules are not overly permissive.

Default Value:

VPC flow is not enabled by default, Enabling VPC flow logs for all VPC Will increase the security and reduce compliance issues.

Audit:

1. Sign in to the AWS Management console

2. Navigate to VPC service at https://console.aws.amazon.com/vpc/

3. In the left navigation pane, select Your VPCs, You will see a list Of VPCs that already exists

4. Click on the VPC that you want to examine and select the Flow log tab and check whether any log exists or not

If you notice logging is not enabled do follow the remediation steps


Via CLI:

aws ec2 describe-flow-logs
  --filter "Name=<resource-id>,Values=<vpc-id>"

Remediation:

Pre-Requisite:

  1.  There must be at least one VPC enabled in the AWS account

  2.  Ensure Cloudwatch or S3 bucket  is created for VPC flow log for retrieving the VPC flow log Data

  3. After auditing, if you notice logging is not enabled then only go to remediation steps

Implementation Steps:

  1. Sign in to the AWS management console

  2. Navigate to VPC service at https://console.aws.amazon.com/vpc/

  3. In the left navigation pane, select Your VPCs, You will see a list Of VPCs that are already exists

  4. Now select your desired VPC for which you want to enable VPC Flow Logs

  5. Select the Flow Logs tab and click on create flow log

6. Fill in all the details required as per your security norms to create the flow log as shown in the image

7. And then click on create flow log


Note:-The Flow Logs are saved into log groups in CloudWatch Logs or to the S3 bucket as per the option you selected while creating the log.


Via CLI:

aws ec2 create-flow-logs
  --resource-type VPC
  --resource-ids <vpc-id>
  --traffic-type ALL
  --log-group-name <LogGroup>
  --deliver-logs-permission-arn <arn>:role/<IAM Role>

Backout Plan:

  1. Sign in to the management console

  2. Navigate to VPC service at https://console.aws.amazon.com/vpc/

  3. In the left navigation pane, select Your VPCs, You will see a list Of VPCs that are already exists 

4. Select the log and click on the action button on the bottom right side, from the drop-down menu select delete flow logs.



Reference:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html 


CIS Controls:

6.2 Activate audit logging 

Ensure that local logging has been enabled on all systems and networking devices. 

12.5 Configure Monitoring Systems to Record Network Packets 

Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.