🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: EC2 VPN connections should have logging enabled

Description

This control checks whether an AWS Site-to-Site VPN connection has Amazon CloudWatch Logs enabled for both tunnels. The control fails if a Site-to-Site VPN connection doesn't have CloudWatch Logs enabled for both tunnels.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.vpc_vpn_connection_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.vpc_vpn_connection_logging_enabled --share

SQL

This control uses a named query:

with tunnel_logging as (
  select
    distinct arn,
    count(*)
  from
    aws_vpc_vpn_connection,
    jsonb_array_elements(options -> 'TunnelOptions') as t
  where
    (t -> 'LogOptions' -> 'CloudWatchLogOptions' ->> 'LogEnabled')::bool
  group by arn
)
select
  a.arn as resource,
  case
    when b.count >= 1 then 'ok'
    else 'alarm'
  end as status,
  case
    when b.count = 1 then a.title || ' has logging enabled for one tunnel.'
    when b.count = 2 then a.title || ' has logging enabled for both tunnels.'
    else a.title || ' has logging disabled for both tunnels.'
  end as reason
  
  , region, account_id
from
  aws_vpc_vpn_connection as a
  left join tunnel_logging as b on a.arn = b.arn;

Tags

category = Compliance
plugin = aws
service = AWS/VPC