Ensure that a metric filter that matches the pattern of the rejected traffic is created for the AWS CloudWatch log group assigned to VPC Flow Logs. VPC Flow Logs is a feature that enables you to record information about the IP traffic (accepted, rejected or all traffic) going to and from the network interfaces (ENIs) available within your VPC. The captured log data is stored using Amazon CloudWatch Logs service. You can manage flow log records as you would with any other log events collected by CloudWatch Logs. A metric filter defines the terms and patterns to look for in the flow log data as this is sent to AWS CloudWatch Logs. CloudWatch uses this metric filter to turn log data into numerical metrics that you can graph or set an alarm on. Prior to running this rule by the Cloud Conformity engine, the name of the VPC Flow Logs CloudWatch log group, e.g. <vpc_flow_log_group_name>, must be configured in the rule settings, on your Cloud Conformity account dashboard.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
In order to quantify and have a detailed image of the rejected IP traffic available within your VPC, a metric filter must be created for the CloudWatch log group assigned to the VPC Flow Logs feature.
Note: Make sure that you replace all <vpc_flow_log_group_name> placeholder found in the conformity rule content with the name of your own log group assigned to the VPC Flow Logs.
Audit
To determine if a metric filter that matches the pattern of the rejected traffic is available for the VPC Flow Logs CloudWatch log group, perform the following actions:
Remediation / Resolution
To create the necessary metric filter and attach it to the VPC Flow Logs CloudWatch log group available in your AWS account, perform the following actions:
References
- AWS Documentation
- What is Amazon CloudWatch Logs?
- Amazon CloudWatch Logs Concepts
- Working with Log Groups and Log Streams
- Filter and Pattern Syntax
- Searching and Filtering Log Data
- VPC Flow Logs
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- logs
- describe-log-groups
- describe-metric-filters
- put-metric-filter