Control: 3.3 Ensure VPC flow logging is enabled in all VPCs
Description
You can use the flow log function to monitor the IP traffic information for an ENI, a VSwitch or a VPC. If you create a flow log for a VSwitch or a VPC, all the Elastic Network Interfaces, including the newly created Elastic Network Interfaces, are monitored. Such flow log data is stored in Log Service, where you can view and analyze IP traffic information. It is recommended that VPC Flow Logs be enabled for packet "rejects" for VPCs.
Remediation
- Logon to VPC console.
- In the left-side navigation pane, click
FlowLog. - Follow the instruction to create
FlowLogfor each of your VPCs.
Default Value:
By default, Flow Logs is not enabled when you create a new VPC.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_3_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_3_3 --shareSQL
This control uses a named query:
with vpc_list as ( select vpc_id, arn, title, region, account_id, _ctx, tags from alicloud_vpc), flow_logs as ( select flow_log_id, title, status as flow_log_status, resource_id, region, account_id from alicloud_vpc_flow_log where resource_type = 'VPC')select arn as resource, case when fl.flow_log_id is not null and fl.flow_log_status = 'Active' then 'ok' when fl.flow_log_id is not null and fl.flow_log_status <> 'Active' then 'alarm' else 'alarm' end as status, case when fl.flow_log_id is not null and fl.flow_log_status = 'Active' then v.title || ' has VPC flow logging enabled.' when fl.flow_log_id is not null and fl.flow_log_status <> 'Active' then v.title || ' flow logging enabled but inactive.' else v.title || ' does not have VPC flow logging enabled.' end as reason , v.account_id as account_id, v.region as regionfrom vpc_list v left join flow_logs fl on v.vpc_id = fl.resource_id and v.region = fl.region and v.account_id = fl.account_id;