Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Metric Filter for VPC Flow Logs CloudWatch Log Group

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CWL-018

Ensure that a metric filter that matches the pattern of the rejected traffic is created for the AWS CloudWatch log group assigned to VPC Flow Logs. VPC Flow Logs is a feature that enables you to record information about the IP traffic (accepted, rejected or all traffic) going to and from the network interfaces (ENIs) available within your VPC. The captured log data is stored using Amazon CloudWatch Logs service. You can manage flow log records as you would with any other log events collected by CloudWatch Logs. A metric filter defines the terms and patterns to look for in the flow log data as this is sent to AWS CloudWatch Logs. CloudWatch uses this metric filter to turn log data into numerical metrics that you can graph or set an alarm on. Prior to running this rule by the Cloud Conformity engine, the name of the VPC Flow Logs CloudWatch log group, e.g. <vpc_flow_log_group_name>, must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

In order to quantify and have a detailed image of the rejected IP traffic available within your VPC, a metric filter must be created for the CloudWatch log group assigned to the VPC Flow Logs feature.

Note: Make sure that you replace all <vpc_flow_log_group_name> placeholder found in the conformity rule content with the name of your own log group assigned to the VPC Flow Logs.


Audit

To determine if a metric filter that matches the pattern of the rejected traffic is available for the VPC Flow Logs CloudWatch log group, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Metric Filter for VPC Flow Logs CloudWatch Log Group conformity rule settings and copy the name defined for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs groups to access the log groups available in the current AWS region.

05 Paste the name of your flow log group, copied at step no. 1, into the Filter log groups search box and press Enter. If the search process returns no results, there is no AWS CloudWatch log group assigned to the VPC Flow Logs within the selected AWS region, therefore the audit process ends here. If the search process returns an AWS CloudWatch log group as result, continue the audit with the next step.

06 Select the log group returned at the previous step and click on the <number> filter link, available in the Metric filters column, to access the metric filters created for the selected log group. If the log group does not have any metric filter defined, the filter link will not be displayed on UI.

07 On Filters for <vpc_flow_log_group_name> page, check for any metric filter with the Filter Pattern attribute value set to { $.errorCode = "AccessDenied" }. If there are no entries with the { $.errorCode = "AccessDenied" } filter pattern, the selected VPC Flow Logs CloudWatch log group does not have a metric filter that matches the pattern of the rejected IP traffic within the VPC.

08 Change the AWS region from the navigation bar and repeat steps no. 5 – 7 to check the metric filters created for other VPC Flow Logs CloudWatch log groups available in other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Metric Filter for VPC Flow Logs CloudWatch Log Group conformity rule settings and copy the name defined for your flow log group (e.g. <vpc_flow_log_group_name>).

02 Run describe-log-groups command (OSX/Linux/UNIX) using custom query filters to list the metadata for the specified VPC Flow Logs CloudWatch log group. Replace <vpc_flow_log_group_name> with the name of your own flow log group copied at the previous step:

aws logs describe-log-groups
	--region us-east-1
	--query "logGroups[?logGroupName == '<vpc_flow_log_group_name>']"

03 The command request should return one of the following outputs:

  1. If describe-log-groups command output returns an empty array (i.e. []), as shown in the example below, there is no AWS CloudWatch log group assigned to the VPC Flow Logs available in the selected AWS region, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns the requested metadata for the specified flow log group, as shown in the example below, the verified log group represents a VPC Flow Logs CloudWatch log group, therefore the audit process continues with the next step:
    [
        {
            "arn": "arn:aws:logs:us-east-1:123456789012:log-group:<vpc_flow_log_group_name>:*",
            "creationTime": 15224779210042,
            "metricFilterCount": 0,
            "logGroupName": "<vpc_flow_log_group_name>",
            "storedBytes": 0
        }
    ]
    

04 Run describe-metric-filters command (OSX/Linux/UNIX) using the name of the flow log group verified at the previous step as identifier and custom query filters to list the metric filters attached to the selected log group:

aws logs describe-metric-filters
	--region us-east-1
	--log-group-name <vpc_flow_log_group_name>
	--query "metricFilters"

05 The command output should return the metadata of the metric filter created for the specified log group (if there is one available):

[]

If the describe-metric-filters command output returns an empty array (i.e. []), as shown in the example above, or the "filterPattern" attribute value is not set to "{ $.errorCode = \"AccessDenied\" }", the selected VPC Flow Logs CloudWatch log group does not have a metric filter that matches the pattern of the rejected traffic inside the VPC.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 to check the metric filters created for other VPC Flow Logs CloudWatch log groups available within other regions.

Remediation / Resolution

To create the necessary metric filter and attach it to the VPC Flow Logs CloudWatch log group available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, click Logs groups to access the log groups available in the current AWS region.

04 Select the VPC Flow Logs CloudWatch log group that you want to configure (see Audit section steps no. 1 to identify the right log group) and click on the <number> filter link, available in the Metric filters column, to access the metric filters page for the selected group. If the log group does not have any metric filter defined, the filter link will not be displayed on UI.

05 On Filters for <vpc_flow_log_group_name> page, click Create metric filter to initiate the metric filter setup process.

06 On Create metric filter and Define pattern step, in the Filter Pattern box, enter the following pattern: { $.errorCode = "AccessDenied" }. Click Next to continue the process.

07 On Create metric filter and Assign metric step, provide a name for the selected filter in the Filter Name box, a name to group similar metrics in the Metric namespace box, a unique name for the assigned metric within the Metric Name box and a value in the Metric value box. Click Next to continue the process.

08 On Create metric filter and Review and create step, review it then click Create metric filter to generate the new metric filter that matches the pattern of the rejected IP traffic and attach it to the AWS CloudWatch log group assigned to VPC Flow Logs.

Using AWS CLI

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the required metric filter and associate it with the specified CloudWatch log group (see Audit section step no. 2 to identify the right log group). The following command example creates a metric filter that matches the pattern of the rejected IP traffic with a filter named "cc-vpc-flow-log-filter" and a metric named "cc-vpc-flow-log-metric", and adds it to a VPC Flow Logs CloudWatch log group named "<vpc_flow_log_group_name>" available in the US East (N. Virginia) region. Replace <vpc_flow_log_group_name> with the name of your own flow log group (the command does not produce an output):

aws logs put-metric-filter
	--region us-east-1
	--log-group-name <vpc_flow_log_group_name>
	--filter-name cc-vpc-flow-log-filter
	--filter-pattern "{ $.errorCode = \"AccessDenied\" }"
	--metric-transformations metricName=cc-vpc-flow-log-metric,metricNamespace=LogMetrics,metricValue=1

References

Publication date Mar 31, 2018