Profile Applicability
- Level 1
Description:
VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. Enabling VPC Flow Logs allows you to monitor, troubleshoot, and analyze network traffic. This includes both allowed and denied traffic, which helps you detect and respond to potential security incidents and misconfigurations. By enabling flow logging for all VPCs, organizations ensure full visibility into the traffic flow in their cloud environment.
Rationale:
VPC Flow Logs provide valuable insights into the traffic patterns and activities in your VPC. Enabling them for all VPCs ensures that:
You can monitor all network activity within your AWS environment.
Unauthorized or unexpected traffic patterns can be detected, such as port scans, DDoS attacks, or unexpected data transfers.
You comply with security best practices and regulatory requirements that require detailed traffic logging for analysis and audit purposes.
Without VPC flow logging, organizations have limited visibility into network activities, making it difficult to detect or respond to security incidents.
Impact:
Failure to enable VPC flow logging can result in:
Limited visibility into network traffic within your AWS environment.
Inability to detect and investigate unauthorized access attempts, malicious traffic, or network misconfigurations.
Non-compliance with data protection regulations or security standards requiring detailed network traffic logging.
Enabling flow logging ensures that all network traffic is captured for audit, compliance, and security purposes.
Default Value:
By default, VPC Flow Logs are not enabled for new or existing VPCs. They must be explicitly configured for each VPC to start capturing network traffic logs.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
ec2:DescribeVpcs
ec2:CreateFlowLogs
cloudwatch:PutLogEvents
CloudWatch Logs should be configured as a destination for flow logs
Remediation:
Test Plan:
Using AWS Console:
Go to the VPC Console.
Select the VPC for which you want to enable flow logs.
In the Flow Logs section, verify that Flow Logs are enabled and directed to a CloudWatch Logs group.
Go to the CloudWatch Console and ensure that the logs are being captured in the designated log group.
Using AWS CLI:
aws ec2 describe-flow-logs --query "FlowLogs[*].{LogGroupName:LogGroupName, VpcId:ResourceId}" --output tableTo verify CloudWatch logs for VPC flow logs:
aws logs describe-log-groups --query "logGroups[?logGroupName=='<log-group-name>']" --output table
Implementation Plan:
Using AWS Console:
Enable VPC flow logging for all VPCs:
Go to the VPC Console.
Select the VPC for which you want to enable flow logs.
In the Flow Logs section, click Create Flow Log.
Choose CloudWatch Logs as the destination for the logs, select a Log Group, and configure log format (e.g., ALL, ACCEPT, REJECT).
Verify CloudWatch logs for flow logs:
Go to the CloudWatch Console.
Ensure that the logs are captured and directed to the correct log group.
Using AWS CLI:
Enable VPC flow logs for a VPC:
aws ec2 create-flow-logs --resource-type VPC --resource-id <vpc-id> --traffic-type ALL --log-group-name <log-group-name> --deliver-to CloudWatchLogs
Verify CloudWatch logs for VPC flow logs:
aws logs describe-log-groups --query "logGroups[?logGroupName=='<log-group-name>']" --output table
Backout Plan:
Using AWS Console:
If enabling VPC flow logging causes performance issues:
Go to the VPC Console.
Disable the flow log for the VPC in question.
You can also choose to exclude certain traffic types (e.g., only logging ACCEPT traffic).
Modify CloudWatch settings to reduce the number of logs if needed, or archive logs for long-term storage and reduce the frequency of log retrieval.
Using AWS CLI:
Temporarily disable flow logs:
aws ec2 delete-flow-logs --flow-log-ids <flow-log-id>
Stop CloudWatch logs for VPC flow logs:
aws logs delete-log-group --log-group-name <log-group-name>
Re-enable monitoring once issues are resolved:
aws ec2 create-flow-logs --resource-type VPC --resource-id <vpc-id> --traffic-type ALL --log-group-name <log-group-name> --deliver-to CloudWatchLogs