turbot/aws_compliance

Control: 6 VPC flow logging should be enabled in all VPCs

Description

This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT.

With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data.

Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows.

By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol. For more information and descriptions of the log fields, see VPC Flow Logsin the Amazon VPC User Guide.

Remediation

To enable VPC flow logging

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
  3. Select a VPC to update.
  4. At the bottom of the page, choose Flow Logs.
  5. Choose Create flow log.
  6. For Filter, choose Reject.
  7. For Destination log group, choose the log group to use.
  8. If you chose CloudWatch Logs for your destination log group, for IAM role, choose the IAM role to use.
  9. Choose Create.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_6 --share

SQL

This control uses a named query:

vpc_flow_logs_enabled

Tags