Profile Applicability: 

Level 2

Description

Client connection logging captures important information about client connections, such as connection attempts, connection failures, and client IP addresses. Enabling connection logging for EC2 Client VPN endpoints helps in monitoring, troubleshooting, and auditing VPN usage to enhance security and compliance.

Rationale

  • Enhanced Security: Provides visibility into client connections to detect potential security issues.

  • Auditing and Compliance: Aids in meeting regulatory requirements by maintaining detailed logs of VPN activity.

  • Troubleshooting: Simplifies the process of diagnosing and resolving connection issues.

Impact

Pros:

  • Increases visibility into VPN activity for monitoring and security.

  • Simplifies troubleshooting connection failures or issues.

  • Helps meet compliance and regulatory requirements.

Cons:

  • May incur additional costs due to log storage in CloudWatch.

  • Requires proper log management to avoid unnecessary storage growth.

Default Value

By default, client connection logging is disabled for EC2 Client VPN endpoints. It must be explicitly enabled.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeClientVpnEndpoints

  • ec2:ModifyClientVpnEndpoint

  • cloudwatch:PutMetricData

  • AWS CLI installed and configured.

Remediation:

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard.

  3. Select Client VPN Endpoints.

  4. For each Client VPN endpoint, check if Client Connection Logging is enabled.

Using AWS CLI:

Check Logging Status:

aws ec2 describe-client-vpn-endpoints --query 'ClientVpnEndpoints[*].ConnectionLogOptions'

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard.

  3. Select Client VPN Endpoints from the left-hand menu.

  4. For each Client VPN endpoint:

    • Select the endpoint and click Edit.

    • Under Connection Logging, enable logging by specifying an appropriate CloudWatch log group and IAM role.

    • Save the changes.

Using AWS CLI:

Enable Logging for a Client VPN Endpoint:

aws ec2 modify-client-vpn-endpoint --client-vpn-endpoint-id <vpn-endpoint-id> --connection-log-options Enabled=true,CloudwatchLogGroup=<log-group-name>,CloudwatchLogStream=<log-stream-name>

Verify Logging is Enabled:

aws ec2 describe-client-vpn-endpoints --client-vpn-endpoint-ids <vpn-endpoint-id> --query 'ClientVpnEndpoints[*].ConnectionLogOptions'

Backout Plan

Using AWS Console:

  1. Navigate to the VPC Dashboard and select the affected endpoint.

  2. Disable client connection logging by clearing the log group and role settings.

  3. Save the changes.

Using AWS CLI:

Disable Logging:

aws ec2 modify-client-vpn-endpoint --client-vpn-endpoint-id <vpn-endpoint-id> --connection-log-options Enabled=false

References:

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v8

4.1

Establish and Maintain a Secure Network Architecture – Monitor remote access logs for anomalies.