Control: 171 EC2 VPN connections should have logging enabled
Description
This control checks whether an AWS Site-to-Site VPN connection has Amazon CloudWatch Logs enabled for both tunnels. The control fails if a Site-to-Site VPN connection doesn't have CloudWatch Logs enabled for both tunnels.
AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. With this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, Internet Key Exchange (IKE) negotiations, and dead peer detection (DPD) protocol messages. Site-to-Site VPN logs can be published to CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.
Remediation
To enable tunnel logging on an EC2 VPN connection, see AWS Site-to-Site VPN logs in the AWS Site-to-Site VPN User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_171
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_171 --share
SQL
This control uses a named query:
with tunnel_logging as ( select distinct arn, count(*) from aws_vpc_vpn_connection, jsonb_array_elements(options -> 'TunnelOptions') as t where (t -> 'LogOptions' -> 'CloudWatchLogOptions' ->> 'LogEnabled')::bool group by arn)select a.arn as resource, case when b.count >= 1 then 'ok' else 'alarm' end as status, case when b.count = 1 then a.title || ' has logging enabled for one tunnel.' when b.count = 2 then a.title || ' has logging enabled for both tunnels.' else a.title || ' has logging disabled for both tunnels.' end as reason , region, account_idfrom aws_vpc_vpn_connection as a left join tunnel_logging as b on a.arn = b.arn;