Control: 51 EC2 Client VPN endpoints should have client connection logging enabled
Description
This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled.
Client VPN endpoints allow remote clients to securely connect to resources in a Virtual Private Cloud (VPC) in AWS. Connection logs allow you to track user activity on the VPN endpoint and provides visibility. When you enable connection logging, you can specify the name of a log stream in the log group. If you don't specify a log stream, the Client VPN service creates one for you.
Remediation
o enable connection logging, see Enable connection logging for an existing Client VPN endpoint in the AWS Client VPN Administrator Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_51Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_51 --shareSQL
This control uses a named query:
ec2_client_vpn_endpoint_client_connection_logging_enabled