turbot/steampipe-mod-aws-compliance

Control: 171 EC2 VPN connections should have logging enabled

Description

This control checks whether an AWS Site-to-Site VPN connection has Amazon CloudWatch Logs enabled for both tunnels. The control fails if a Site-to-Site VPN connection doesn't have CloudWatch Logs enabled for both tunnels.

AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. With this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, Internet Key Exchange (IKE) negotiations, and dead peer detection (DPD) protocol messages. Site-to-Site VPN logs can be published to CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections.

Remediation

To enable tunnel logging on an EC2 VPN connection, see AWS Site-to-Site VPN logs in the AWS Site-to-Site VPN User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_171

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_171 --share

SQL

This control uses a named query:

with tunnel_logging as (
select
distinct arn,
count(*)
from
aws_vpc_vpn_connection,
jsonb_array_elements(options -> 'TunnelOptions') as t
where
(t -> 'LogOptions' -> 'CloudWatchLogOptions' ->> 'LogEnabled')::bool
group by arn
)
select
a.arn as resource,
case
when b.count >= 1 then 'ok'
else 'alarm'
end as status,
case
when b.count = 1 then a.title || ' has logging enabled for one tunnel.'
when b.count = 2 then a.title || ' has logging enabled for both tunnels.'
else a.title || ' has logging disabled for both tunnels.'
end as reason
, region, account_id
from
aws_vpc_vpn_connection as a
left join tunnel_logging as b on a.arn = b.arn;

Tags