Control: EC2 VPN connections should have logging enabled
Description
This control checks whether an AWS Site-to-Site VPN connection has Amazon CloudWatch Logs enabled for both tunnels. The control fails if a Site-to-Site VPN connection doesn't have CloudWatch Logs enabled for both tunnels.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.vpc_vpn_connection_logging_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.vpc_vpn_connection_logging_enabled --share
SQL
This control uses a named query:
with tunnel_logging as ( select distinct arn, count(*) from aws_vpc_vpn_connection, jsonb_array_elements(options -> 'TunnelOptions') as t where (t -> 'LogOptions' -> 'CloudWatchLogOptions' ->> 'LogEnabled')::bool group by arn)select a.arn as resource, case when b.count >= 1 then 'ok' else 'alarm' end as status, case when b.count = 1 then a.title || ' has logging enabled for one tunnel.' when b.count = 2 then a.title || ' has logging enabled for both tunnels.' else a.title || ' has logging disabled for both tunnels.' end as reason , region, account_idfrom aws_vpc_vpn_connection as a left join tunnel_logging as b on a.arn = b.arn;