Logo of Trend Micro

Enable VPC Flow Log

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Flow Log feature is enabled for all your Virtual Private Cloud (VPC) networks. Flow Log is a logging feature that enables users to capture information about the IP traffic (accepted, rejected, or all traffic) going to and from network resources such as VPC networks, VSwitches, and ECS instances. The logging data is stored in the Simple Log Service (SLS), where you can view and analyze IP traffic information.

Security

Enabling Flow Log for your Virtual Private Cloud (VPC) networks provides essential visibility into network traffic, aiding in network security analysis and forensics, troubleshooting, expense optimization, and compliance adherence. It allows monitoring of inbound and outbound traffic, helping detect unauthorized access attempts, analyzing network behavior, and facilitating incident response. This enhances overall network security and ensures regulatory compliance.

Audit

To determine if the Flow Log feature is enabled for your VPC networks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Virtual Private Cloud (VPC) console available at https://vpc.console.aliyun.com/overview.

03 In the left navigation panel choose VPC to access Virtual Private Cloud (VPC) networks.

04 Select the cloud region where your VPC reside from the top navigation bar.

05 Click on the ID (link) of the VPC network that you want to examine, listed in the Instance ID/Name column.

06 Select the Resource Management tab and check the Flow Log attribute value, listed in the VPC Resources section. If the Flow Log value is set to 0 (zero), there are no flow logs created for your VPC, therefore the Flow Log feature is not enabled for the selected Virtual Private Cloud (VPC) network.

07 Repeat steps no. 5 and 6 for each VPC network available within the selected cloud region.

08 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeVpcs command (OSX/Linux/UNIX) with custom output filters to describe the configuration information available for each Virtual Private Cloud (VPC) available in the specified cloud region: 

aliyun vpc DescribeVpcs --RegionId 'eu-west-1'

02 The command output should return the requested configuration details (including the VPC ID, i.e. "VpcId" value): 

{
	"Vpcs": {
		"Vpc": [
			{
				"VpcName": "",
				"VpcId": "vpc-abcd1234abcd1234abcda",
				"AdvancedResource": false,
				"CidrBlock": "172.16.0.0/12",
				"CreationTime": "2024-01-25T08:27:25Z",
				"Description": "",
				"Ipv6CidrBlock": "",
				"IsDefault": true,
				"NatGatewayIds": {
					"NatGatewayIds": []
				},
				"NetworkAclNum": 0,
				"OwnerId": 5780405407814116,
				"RegionId": "eu-west-1",
				"ResourceGroupId": "rg-abcd1234abcd1234",
				"RouterTableIds": {
					"RouterTableIds": [
						"vtb-abcd1234abcd1234abcd"
					]
				},
				"SecondaryCidrBlocks": {
					"SecondaryCidrBlock": []
				},
				"Status": "Available",
				"UserCidrs": {
					"UserCidr": []
				},
				"VRouterId": "vrt-abcd1234abcd1234abcd",
				"VSwitchIds": {
					"VSwitchId": [
						"vsw-1234abcd1234abcd1234"
					]
				}
			}
		]
	},
	"PageNumber": 1,
	"PageSize": 10,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 1,
}

03 Run DescribeFlowLogs command (OSX/Linux/UNIX) using the ID of the Virtual Private Cloud (VPC) that you want to examine as the identifier parameter, to describe the flow logs created for the selected VPC network: 

aliyun vpc DescribeFlowLogs --RegionId 'eu-west-1' --VpcId 'vpc-abcd1234abcd1234abcda'

04 The command output should return the requested information: 

{
	"FlowLogs": {
	  "FlowLog": []
	},
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"Success": true,
	"TotalCount": 0
}

Check the "FlowLog" attribute value to identify the flow logs created for the specified resource. If the "FlowLog" value is an empty array (i.e. []), as shown in the example above, there are no flow logs created for your VPC, therefore the Flow Log feature is not enabled for the selected Virtual Private Cloud (VPC) network.

05 Repeat steps no. 3 and 4 for each VPC network available in the selected cloud region.

06 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Flow Log feature for your Virtual Private Cloud (VPC) networks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Virtual Private Cloud (VPC) console available at https://vpc.console.aliyun.com/overview.

03 In the left navigation panel, under O&M and Monitoring, choose Flow Log.

04 Select the cloud region where your VPC network reside from the top navigation bar.

05 If you are creating a VPC flow log for the first time, choose Authorize Now and select Confirm Authorization Policy. You must complete the authorization process to ensure that the flow log data can be imported to Simple Log Service.

06 Choose Enable Now, select the Terms of Service checkbox, and choose Enable Flow Log to activate the Flow Log feature for the selected Virtual Private Cloud (VPC).

07 Choose Create a flow log to initiate the flow log setup process.

08 In the Create a flow log setup box, perform the following actions:

  1. For Flow Log Name, provide a unique name for your new flow log.
  2. For Resource Type choose VPC. The new flow log will capture traffic from all ENIs in the specified VPC.
  3. For Resource Group choose the appropriate resource group.
  4. For Resource Instance select the VPC network from which you want to capture traffic information.
  5. (Optional) Use the Tag Key and Tag Value fields to add tags to the new flow log resource.
  6. For Data Transfer Type, choose the type of traffic information that you want to capture. All Traffic captures all traffic information from the specified VPC. Allowed Traffic captures only information about traffic that is allowed by security group rules and NACL rules of the specified VPC. Denied Traffic captures only information about traffic that is denied by security group rules and NACL rules of the specified VPC.
  7. For Project, choose Create Project to create a new Simple Log Service project to store captured traffic information. Provide a name for the new project in the Project name box.
  8. For Logstore, choose Create Logstore to create a new Simple Log Service logstore to store captured traffic information. Enter a name for your new logstore in the Logstore name box.
  9. For Enable Log Analysis Report, choose whether to enable the Simple Log Service indexing and create a dedicated dashboard for the logstore.
  10. For Sampling Interval (Minutes), specify the flow log sampling interval.
  11. For Description, provide a short a description for the flow log.
  12. Choose OK to create your new VPC flow log.

09 Repeat steps no. 7 and 8 for each VPC network available within the selected cloud region.

10 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run CreateFlowLog command (OSX/Linux/UNIX) to create a new flow log and enable the Flow Log feature for the specified Virtual Private Cloud (VPC) network. The following command example creates a flow log that captures all traffic information from the ENIs within the VPC network specified by the --ResourceId parameter, using a sampling interval of 10 minutes, and sends the captured traffic data to the Simple Log Service project and logstore specified by the --ProjectName and --LogStoreName parameters: 

aliyun vpc CreateFlowLog
  --RegionId 'eu-west-1'
  --FlowLogName 'tm-vpc-flow-log'
  --Description 'Flow Log for VPC Network'
  --ResourceType VPC
  --ResourceId 'vpc-abcd1234abcd1234abcda'
  --TrafficType All
  --ProjectName 'tm-vpc-flow-logs-project'
  --LogStoreName 'tm-vpc-flow-logs-logstore'
  --AggregationInterval 10

02 The command output should return the ID of the new flow log and the completion status. If "Success" is set to true, a new flow log was successfully created: 

{
	"FlowLogId": "fl-abcdabcdabcdabcdabcda",
	"Success": true,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Repeat steps no. 1 and 2 for each VPC network available within the selected cloud region.

04 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 30, 2024

Related AlibabaCloud-VPC rules