Control: 6 VPC flow logging should be enabled in all VPCs
Description
This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT.
With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data.
Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows.
By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol. For more information and descriptions of the log fields, see VPC Flow Logsin the Amazon VPC User Guide.
Remediation
To enable VPC flow logging
- Open the Amazon VPC console.
- In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
- Select a
VPC
to update. - At the bottom of the page, choose Flow Logs.
- Choose Create flow log.
- For Filter, choose Reject.
- For Destination log group, choose the
log group
to use. - If you chose
CloudWatch Logs
for your destination log group, for IAM role, choose the IAM role to use. - Choose Create.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_6 --share
SQL
This control uses a named query:
vpc_flow_logs_enabled