iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Amazon Virtual Private Cloud (VPC) Flow Logs are enabled for all VPCs within an AWS account. VPC Flow Logs capture detailed information about network traffic to and from network interfaces in your VPCs. Enabling flow logs provides visibility into network activity, supports troubleshooting, enhances security monitoring, and aids in compliance reporting.

Rationale:
VPC Flow Logs are an essential part of AWS network visibility and security operations. They allow administrators to analyze accepted, rejected, and failed traffic at the instance, subnet, or VPC level. These logs can help detect unauthorized access attempts, monitor traffic trends, investigate security incidents, and ensure that network configurations align with expected behavior. Without flow logs, potential malicious activity or misconfigurations may go unnoticed.

Impact:
Positive Impact:

• Enables visibility into network traffic patterns and connections.

• Supports incident detection, response, and troubleshooting.

• Provides audit trails for compliance frameworks (CIS, SOC 2, ISO 27001).
  Negative Impact:

• Slight additional cost for log storage in CloudWatch or S3.

• May generate a high volume of logs depending on network size.
  
  

Default Value:
By default, VPC Flow Logs are not enabled for VPCs. They must be manually created and configured for each VPC, subnet, or network interface.

Pre-Requisite:

• IAM permissions required: ec2:DescribeVpcs, ec2:CreateFlowLogs, logs:CreateLogGroup, logs:CreateLogStream, iam:PassRole.

• A CloudWatch Log Group or S3 bucket for storing flow logs.

• An IAM role with permissions to publish logs to CloudWatch or S3.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to VPC → Your VPCs.

3. For each VPC, check the Flow Logs tab.

4. Confirm that a Flow Log exists and is active.

5. Verify that:

   • The Log destination is CloudWatch Logs or an S3 bucket.

   • The Traffic type is set to ALL (recommended) to capture accepted and rejected traffic.

   • The IAM role or permissions are valid for writing logs.

6. If any VPC does not have flow logging enabled, follow the implementation steps.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to VPC → Your VPCs.

2. Select the VPC that does not have a Flow Log.

3. Go to the Flow Logs tab and click Create flow log.

4. Under Filter, select ALL to capture both accepted and rejected traffic.

5. Under Destination, choose one of the following options:

   • Send to CloudWatch Logs: Select an existing or create a new CloudWatch Log Group, and choose an IAM role with write permissions.

   • Send to Amazon S3: Choose an existing S3 bucket and specify a prefix if desired.

6. Click Create flow log.

7. Repeat this process for all VPCs to ensure consistent coverage.

8. Optionally, implement a policy or script to enforce automatic creation of flow logs for new VPCs.
   
   

Backout Plan:

1. To disable flow logging, navigate to VPC → Flow Logs, select the flow log entry, and click Delete flow log.

2. Confirm deletion only if monitoring or cost control measures justify the change.

3. Ensure that other security monitoring systems are in place before disabling flow logs.
   
   

References:

• Amazon VPC Flow Logs Documentation

• AWS CloudWatch Logs Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.25

• AWS Security Best Practices for Network Monitoring