🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 51 EC2 Client VPN endpoints should have client connection logging enabled

Description

This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled.

Client VPN endpoints allow remote clients to securely connect to resources in a Virtual Private Cloud (VPC) in AWS. Connection logs allow you to track user activity on the VPN endpoint and provides visibility. When you enable connection logging, you can specify the name of a log stream in the log group. If you don't specify a log stream, the Client VPN service creates one for you.

Remediation

o enable connection logging, see Enable connection logging for an existing Client VPN endpoint in the AWS Client VPN Administrator Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_51

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_51 --share

SQL

This control uses a named query:

select
  client_vpn_endpoint_id as resource,
  case
    when (connection_log_options ->> 'Enabled')::bool then 'ok'
    else 'alarm'
  end as status,
  case
    when (connection_log_options ->> 'Enabled')::bool then title || ' client connection logging enabled.'
    else title || ' client connection logging disabled.'
  end as reason
  
  , region, account_id
from
  aws_ec2_client_vpn_endpoint;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = ec2_51
plugin = aws
service = AWS/EC2