Profile Applicability:

Level 2

Description:

AWS VPC Flow Logs capture IP traffic flowing to and from network interfaces in a VPC. These logs help in security monitoring, compliance, and forensic investigations. The logs are stored in Amazon CloudWatch Logs and can be analyzed for potential security threats.Enabling VPC Flow Logs ensures visibility into rejected network traffic, helping detect suspicious activity and unauthorized access attempts.

Rationale:

Detects potential threats by logging rejected traffic (e.g., unauthorized access attempts, scanning activity).Improves incident response by providing forensic evidence in case of a security breach.Supports compliance with PCI DSS, SOC 2, ISO 27001, NIST, and CIS benchmarks.Assists in troubleshooting by identifying unexpected traffic patterns.Without VPC Flow Logs, security teams lack network visibility, making it difficult to detect and analyze threats.

Impact:

  • Provides full visibility into VPC network traffic.

  • Helps detect malicious activity and unauthorized access.

  • Essential for forensic analysis and incident response.

  • Supports compliance with security standards.


Default Value:

  • VPC Flow Logs are NOT enabled by default.
  • Must be manually enabled for each VPC.

Pre-Requisites:

IAM permissions required:

  • ec2:DescribeVpcs

  • ec2:CreateFlowLogs

  • iam:CreateRole

  • iam:AttachRolePolicy

  • logs:CreateLogGroup

  • logs:PutRetentionPolicy

 AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check If VPC Flow Logs Are Enabled

  1. Sign in to the AWS Management Console

  2. Go to VPC Dashboard → AWS VPC

  1. Click Your VPCs in the left navigation panel

     

  1. Select a VPC

     

  1. Click on the Flow Logs tab

     

  1. Ensure a log flow exists and has the Status as Active

                 

  1. Repeat for all VPCs in all AWS regions

  • If logs exist and are active, VPC Flow Logs are enabled.
  • If no logs exist, follow the remediation steps.


Using AWS CLI

Step 1: List All VPCs

aws ec2 describe-vpcs --query 'Vpcs[*].VpcId'

Step 2: Check If Flow Logs Exist for Each VPC

aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc-id>"

Implementation Steps:

Using AWS Console

Step 1: Enable Flow Logs for a VPC

  1. Sign in to the AWS Management Console

  2. Navigate to VPC Dashboard → AWS VPC

  1. Click Your VPCs in the left navigation panel

   

  1. Select a VPC

   

  1. Click on the Flow Logs tab

   

  1. Click Create Flow Log

   

  1. Configure the log:

    • Filter: Reject (to log only rejected traffic)

    • Destination Log Group: Select or create an Amazon CloudWatch Log Group

    • IAM Role: Select or create an IAM role for log delivery

                                           

  1. Click Create Log Flow

   

  1. Click on CloudWatch Logs Group to verify logs

Using AWS CLI

Step 1: Create IAM Role for Log Delivery

aws iam create-role --role-name VPCFlowLogsRole --assume-role-policy-document file://trust-policy.json

Step 2: Create a CloudWatch Log Group

aws logs create-log-group --log-group-name VPC-Flow-Logs

Step 3: Create VPC Flow Logs

aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids <vpc-id> \
    --traffic-type REJECT \
    --log-group-name VPC-Flow-Logs \
    --deliver-logs-permission-arn arn:aws:iam::123456789012:role/VPCFlowLogsRole

Backout Plan

If enabling VPC Flow Logs causes issues: Delete VPC Flow Logs via AWS CLI 

aws ec2 delete-flow-logs --flow-log-ids <flow-log-id>

Verify Logs Are Disabled 

aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc-id>"
If the command returns [], logs are disabled.


References: