Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 6 VPC flow logging should be enabled in all VPCs

Description

This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT.

With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data.

Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows.

By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol. For more information and descriptions of the log fields, see VPC Flow Logsin the Amazon VPC User Guide.

Remediation

To enable VPC flow logging

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
  3. Select a VPC to update.
  4. At the bottom of the page, choose Flow Logs.
  5. Choose Create flow log.
  6. For Filter, choose Reject.
  7. For Destination log group, choose the log group to use.
  8. If you chose CloudWatch Logs for your destination log group, for IAM role, choose the IAM role to use.
  9. Choose Create.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_6 --share

SQL

This control uses a named query:

with vpcs as (
  select
    arn,
    account_id,
    region,
    owner_id,
    vpc_id,
    tags,
    _ctx
  from
    aws_vpc
  order by
    vpc_id
),
flowlogs as (
  select
    resource_id,
    account_id,
    flow_log_status,
    region
  from
    aws_vpc_flow_log
  order by
    resource_id
)
select
  v.arn as resource,
  case
    when v.account_id <> v.owner_id then 'skip'
    when f.resource_id is not null and f.flow_log_status = 'ACTIVE' then 'ok'
    when f.resource_id is not null and f.flow_log_status <> 'ACTIVE' then 'alarm'
    else 'alarm'
  end as status,
  case
    when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'
    when f.resource_id is not null and f.flow_log_status = 'ACTIVE' then v.vpc_id || ' flow logging enabled and active.'
    when f.resource_id is not null and f.flow_log_status <> 'ACTIVE' then v.vpc_id || ' flow logging enabled but inactive.'
    else v.vpc_id || ' flow logging disabled.'
  end as reason
  
  , v.region, v.account_id
from
  vpcs as v
  left join flowlogs as f on v.vpc_id = f.resource_id;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = ec2_6
plugin = aws
service = AWS/EC2