Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 2.5 Ensure virtual network flow log service is enabled

Description

The flow log can be used to capture the traffic of an Elastic Network Interface (ENI), Virtual Private Cloud (VPC) or Virtual Switch (VSwitch). The flow log of a VPC or VSwitch shall be integrated with Log Service to capture the traffic of all ENIs in the VPC or VSwitch including the ENIs created after the flow log function is enabled. The traffic data captured by flow logs is stored in Log Service for real-time monitoring and analysis. A capture window is about 10 minutes, during which the traffic data is aggregated and then released to flow log record.

Remediation

Perform the following to ensure the virtual network flow log is enabled:

  1. Logon to VPC console.
  2. In the left-side navigation pane, click FlowLog.
  3. Select the region to which the flow log is to be created.
  4. On the FlowLog page, click Create FlowLog.
  5. On the Create FlowLog page, set the required parameters by following the instruction, and then click OK.

Default Value:

Logging is disabled.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_2_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_2_5 --share

SQL

This control uses a named query:

with compliant_flow_logs as (
  select
    resource_id,
    resource_type,
    project_name,
    log_store_name,
    region,
    account_id,
    name as flow_log_name
  from
    alicloud_vpc_flow_log
  where
    resource_type in ('VPC', 'VSwitch')
    and status = 'Active'
    and project_name is not null
    and project_name != ''
    and log_store_name is not null
    and log_store_name != ''
)
select
  arn as resource,
  case
    when fl.resource_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when fl.resource_id is not null then v.title || ' has active flow log "' || fl.flow_log_name || '" integrated with log service (project: ' || fl.project_name || ', logstore: ' || fl.log_store_name || ').'
    else v.title || ' does not have an active flow log integrated with log service'
  end as reason
  
  , v.account_id as account_id, v.region as region
from
  alicloud_vpc v
  left join compliant_flow_logs fl on v.vpc_id = fl.resource_id and v.region = fl.region and v.account_id = fl.account_id and fl.resource_type = 'VPC'
union all
select
  'acs:vpc:' || vs.region || ':' || vs.account_id || ':vswitch/' || vs.vswitch_id as resource,
  case
    when fl.resource_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when fl.resource_id is not null then vs.title || ' has active flow log "' || fl.flow_log_name || '" integrated with log service (project: ' || fl.project_name || ', logstore: ' || fl.log_store_name || ').'
    else vs.title || ' does not have an active flow log integrated with log service.'
  end as reason
   
  , vs.account_id as account_id, vs.region as region
from
  alicloud_vpc_vswitch vs
  left join compliant_flow_logs fl on vs.vswitch_id = fl.resource_id and vs.region = fl.region and vs.account_id = fl.account_id and fl.resource_type = 'VSwitch';

Tags

category = Compliance
cis = true
cis_item_id = 2.5
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/VPC