Control: 3.7 Ensure VPC flow logging is enabled in all VPCs
Description
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
Remediation
Perform the following to determine if VPC Flow logs is enabled:
From Console:
- Sign into the management console
- Select
Services
thenVPC
- In the left navigation pane, select
Your VPCs
- Select a VPC
- In the right pane, select the
Flow Logs
tab. - If no Flow Log exists, click
Create Flow Log
- For Filter, select
Reject
- Enter in a
Role
andDestination Log Group
- Click
Create Log Flow
- Click on
CloudWatch Logs Group
Note: Setting the filter to "Reject" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to "All" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.
From Command Line:
- Create a policy document and name it as
role_policy_document.json
and paste the following content:
{"Version": "2012-10-17","Statement": [{"Sid": "test","Effect": "Allow","Principal":{"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}
- Create another policy document and name it as
iam_policy.json
and paste the following content:
{"Version": "2012-10-17","Statement": [ { "Effect": "Allow", "Action":[ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "*" } ]}
- Run the below command to create an IAM role:
aws iam create-role --role-name <aws_support_iam_role> --assume-role-policydocument file://<file-path>role_policy_document.json
- Run the below command to create an IAM policy:
aws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json
- Run
attach-group-policy
command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned):
aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-accountid>:policy/<iam-policy-name> --group-name <group-name>
- Run
describe-vpcs
to get the VpcId available in the selected region:
aws ec2 describe-vpcs --region <region>
- The command output should return the VPC Id available in the selected region.
- Run
create-flow-logs
to create a flow log for the vpc:
aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logspermission-arn <iam-role-arn>
- Repeat step 8 for other vpcs available in the selected region.
- Change the region by updating --region and repeat remediation procedure for other vpcs.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v300_3_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v300_3_7 --share
SQL
This control uses a named query:
vpc_flow_logs_enabled