🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 3.9 Ensure VPC flow logging is enabled in all VPCs

Description

VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in CloudWatch Logs.

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

While setting up the VPC flow log, setting filter to Reject will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to "All" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.

Remediation

Perform the following to determine if VPC Flow logs is enabled:

From Console

  1. Open the Amazon VPC console at VPC
  2. Select required VPC to update from Your VPCs
  3. Choose the Flow Logs tab in the bottom section of the page.
  4. If no Flow Log exists, choose Create flow log
  5. For Filter, choose Reject.
  6. For Destination log group, select the log group to use.
  7. For IAM role, select the IAM role to use.
  8. Choose Create flow log.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v150_3_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v150_3_9 --share

SQL

This control uses a named query:

with vpcs as (
  select
    arn,
    account_id,
    region,
    owner_id,
    vpc_id,
    tags,
    _ctx
  from
    aws_vpc
  order by
    vpc_id
),
flowlogs as (
  select
    resource_id,
    account_id,
    region
  from
    aws_vpc_flow_log
  order by
    resource_id
)
select
  v.arn as resource,
  case
    when v.account_id <> v.owner_id then 'skip'
    when f.resource_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'
    when f.resource_id is not null then v.vpc_id || ' flow logging enabled.'
    else v.vpc_id || ' flow logging disabled.'
  end as reason
  
  , v.region, v.account_id
from
  vpcs as v
  left join flowlogs as f on v.vpc_id = f.resource_id;

Tags

category = Compliance
cis = true
cis_item_id = 3.9
cis_level = 2
cis_section_id = 3
cis_type = automated
cis_version = v1.5.0
plugin = aws
service = AWS/VPC