Flow Log Enabled and Configured

Risk Level: Medium (should be achieved)

Ensure that Flow Log is enabled and configured to send logging data to Simple Log Service (SLS). Flow Log is a logging feature that enables users to capture information about the IP traffic (accepted, rejected, or all traffic) going to and from an Elastic Network Interface (ENI), a Virtual Private Cloud (VPC), or a Virtual Switch (VSwitch). The logging data is stored in the Simple Log Service (SLS), where you can view and analyze IP traffic information.

Security

Integrating Flow Log with Simple Log Service (SLS) in Alibaba Cloud lets you analyze your network traffic. SLS stores the flow data captured by Flow Log, which includes details such as source, destination, and bandwidth usage. This allows you to monitor network activity, troubleshoot issues, and identify security threats, all within a centralized logging service. This enhances overall network security and ensures regulatory compliance.

Audit

To determine if the Flow Log feature is enabled and properly configured, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Virtual Private Cloud (VPC) console available at https://vpc.console.aliyun.com/overview.

03 In the left navigation panel, under O&M and Monitoring, choose Flow Log to view the flow logs created for your network resources.

04 Select the cloud region to which the target flow log belongs, from the top navigation bar.

05 Choose the flow log that you want to examine and click on the link (name) of the associated SLS Logstore, listed in the Simple Log Service column. If the Simple Log Service (SLS) console returns the LogStoreNotExist error, i.e. Error logstore [logstore-name] does not exist, the associated SLS Logstore does not exist anymore, therefore the Flow Log's capability to store logging data for analysis and troubleshooting is disabled.

06 Repeat step no. 5 for each flow log available within the selected cloud region.

07 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeFlowLogs command (OSX/Linux/UNIX) to describe the flow logs created for your network resources in the specified cloud region:

aliyun vpc DescribeFlowLogs --RegionId 'eu-west-1'

02 The command output should return the requested flow log information. If the "Status" attribute value is set to "Active", i.e. the flow log is enabled, you can continue the Audit process with the next step:

{
	"FlowLogs": {
	"FlowLog": [
		{
			"AggregationInterval": 10,
			"BusinessStatus": "Normal",
			"CreationTime": "2024-03-04T18:17:35Z",
			"Description": "",
			"FlowLogId": "fl-abcdabcdabcdabcdabcda",
			"FlowLogName": "tm-vpc-flow-log",
			"LogStoreName": "tm-sls-main-project-logstore",
			"ProjectName": "tm-sls-main-project",
			"RegionId": "eu-west-1",
			"ResourceGroupId": "rg-acfnxlcebtszdza",
			"ResourceId": "vpc-1234abcd1234abcd1234a",
			"ResourceType": "VPC",
			"Status": "Active",
			"FlowLogDeliverStatus": "FAILED",
			"TrafficPath": {
				"TrafficPathList": [
					"all"
				]
			},
			"TrafficType": "All"
		}
	]
	},
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"Success": true,
	"TotalCount": 1
}

03 Install and configure Simple Log Service (SLS) CLI. SLS CLI is a dedicated command-line tool for Alibaba Cloud's Simple Log Service (SLS).

04 Run get_logstore command (OSX/Linux/UNIX) to describe the configuration information of the Simple Log Service (SLS) Logstore configured to store log data for your network flow log:

aliyunlog log get_logstore 
  --project_name=tm-sls-main-project 
  --logstore_name=tm-sls-main-project-logstore 
  --format-output=json

05 The command output should return the requested configuration information:

{
	"errorCode": "LogStoreNotExist",
	"errorMessage": "logstore tm-sls-main-project-logstore does not exist",
	"requestId": "ABCDABCDABCDABCDABCD"
}

If the get_logstore command output returns LogStoreNotExist error, as shown in the output example above, the associated SLS Logstore does not exist anymore, therefore the Flow Log's capability to store logging data for analysis and troubleshooting is disabled.

06 Repeat steps no. 4 and 5 for each flow log available in the selected cloud region.

07 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that the Flow Log feature is enabled and properly configured within your Alibaba Cloud account, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Virtual Private Cloud (VPC) console available at https://vpc.console.aliyun.com/overview.

03 In the left navigation panel, under O&M and Monitoring, choose Flow Log.

04 Select the cloud region to which the source flow log belongs, from the top navigation bar.

05 To change the SLS project and Logstore for a flow log directly is not possible. To ensure that the Flow Log feature is enabled and properly configured, you must re-create your flow log with a new SLS project and Logstore. On the Flow Log page, choose Create a flow log to initiate the flow log setup process.

06 In the Create a flow log setup box, perform the following actions:

For Flow Log Name, provide a unique name for your new flow log.
For Resource Type choose the target network resource type.
For Resource Group choose the appropriate resource group.
For Resource Instance select the network resource from which you want to capture traffic information (must match the network resource used by the source flow log).
(Optional) Use the Tag Key and Tag Value fields to add tags to the new flow log resource.
For Data Transfer Type, choose the type of traffic information that you want to capture. All Traffic captures all traffic information from the specified network resource. Allowed Traffic captures only information about traffic that is allowed to the specified network resource. Denied Traffic captures only information about traffic that is denied by the specified network resource.
For Project, choose Create Project to create a new Simple Log Service project to store captured traffic information. Provide a name for the new project in the Project name box.
For Logstore, choose Create Logstore to create a new Simple Log Service logstore to store captured traffic information. Enter a name for your new logstore in the Logstore name box.
For Enable Log Analysis Report, choose whether to enable the Simple Log Service indexing and create a dedicated dashboard for the logstore.
For Sampling Interval (Minutes), specify the flow log sampling interval.
For Description, provide a short a description for the flow log.
Choose OK to create your new flow log.

07 Repeat steps no. 5 and 6 for each flow log that you want to redeploy, available within the selected cloud region.

08 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Install and configure Simple Log Service (SLS) CLI. SLS CLI is a dedicated command-line tool for Alibaba Cloud's Simple Log Service (SLS).

02 Run create_project command (OSX/Linux/UNIX) to create the Simple Log Service (SLS) project that will manage the Logstore for your flow log (the command does not produce an output):

aliyunlog log create_project 
  --project_name=tm-sls-new-project 
  --project_des="SLS Project for Flow Log data" 
  --region-endpoint=eu-west-1.log.aliyuncs.com

03 Run create_logstore command (OSX/Linux/UNIX) to create a new Simple Log Service (SLS) Logstore for your flow log (the command does not produce an output):

aliyunlog log create_logstore 
  --project_name=tm-sls-new-project 
  --logstore_name=tm-sls-new-project-logstore

04 Run CreateFlowLog command (OSX/Linux/UNIX) to create a new flow log and enable the Flow Log feature for the specified network resource. The following command example creates a flow log that captures all traffic information from the ENIs within the VPC network specified by the --ResourceId parameter, using a sampling interval of 10 minutes, and sends the captured traffic data to the SLS project and logstore created at the previous steps, specified by the --ProjectName and --LogStoreName parameters:

aliyun vpc CreateFlowLog
  --RegionId 'eu-west-1'
  --FlowLogName 'tm-new-vpc-flow-log'
  --Description 'Flow Log for VPC Network'
  --ResourceType VPC
  --ResourceId 'vpc-d7ow8c36gk8yyj18iyq3g'
  --TrafficType All
  --ProjectName 'tm-sls-new-project'
  --LogStoreName 'tm-sls-new-project-logstore'
  --AggregationInterval 10

05 The command output should return the ID of the new flow log and the completion status. If "Success" is set to true, a new flow log was successfully created:

{
	"FlowLogId": "fl-abcdabcdabcdabcdabcda",
	"Success": true,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

06 Repeat steps no. 2 - 5 for each flow log that you want to redeploy, available in the selected cloud region..

07 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Alibaba Cloud CLI Documentation
DescribeFlowLogs
CreateFlowLog

Publication date Apr 26, 2024

Audit

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

Remediation / Resolution

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

References

Related AlibabaCloud-SLS rules