Use the Conformity Knowledge Base AI to help improve your Cloud Posture

VPC Flow Logs Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (should be achieved)
Rule ID: VPC-001

Ensure that the VPC Flow Logs feature is enabled within your AWS account. Once enabled, Amazon VPC Flow Logs will start collecting network traffic data to and from your VPC network, data that can be useful to detect and troubleshoot security issues and make sure that your network access rules are not overly permissive.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Enabling VPC Flow Logs will help you to detect security and access issues like overly permissive security groups and Network ACLs (NACLs), and alert abnormal activities triggered within your Virtual Private Cloud (VPC), such as rejected connection requests or unusual levels of data transfer.

Note: Amazon CloudWatch Logs charges apply when using Flow Logs feature, whether you send them to CloudWatch Logs or to Amazon S3.


Audit

To determine if the Flow Logs feature is enabled for your VPC networks, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Your VPCs.

04 Select the Virtual Private Cloud (VPC) that you want to examine.

05 Choose the Flow logs tab from the console bottom panel and search for any VPC Flow Logs listed in the Flow logs section. If there are no logs listed in the Flow logs section, the Flow Logs feature is not enabled for the selected VPC network.

06 Repeat steps no. 4 and 5 for other Virtual Private Clouds (VPCs) available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) with custom query filters to list the IDs of the VPC networks available in the selected AWS region:

aws ec2 describe-vpcs
  --region us-east-1
  --query 'Vpcs[*].VpcId'

02 The command output should return the ID of each Virtual Private Cloud (VPC) available:

[
    "vpc-abcd1234",
    "vpc-1234abcd"
]

03 Run describe-flow-logs command (OSX/Linux/UNIX) using the ID of the VPC network that you want to examine as the identifier parameter, to determine if the selected Virtual Private Cloud (VPC) has the Flow Logs feature enabled:

aws ec2 describe-flow-logs
  --region us-east-1
  --filter "Name=resource-id,Values=vpc-abcd1234"

04 The command output should return the metadata available for the Flow Logs feature within the selected VPC:

[
  "FlowLogs": []
]

If the describe-flow-logs command output returns an empty array for the "FlowLogs" attribute, as shown in the output example above, the Flow Logs feature is not enabled for the selected VPC network.

05 Repeat steps no. 3 and 4 for other Virtual Private Clouds (VPCs) available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Flow Logs feature for your Amazon VPC networks, perform the following operations:

Note: As an example, this conformity rule demonstrates how to configure VPC Flow Logs to publish the flow log data to Amazon CloudWatch Logs.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Flow Logs for Amazon VPC Networks",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default"
      }
    },
    "VPCFlowLog": {
      "Type": "AWS::EC2::FlowLog",
      "Properties": {
          "ResourceId": {
            "Ref": "AWSVPCNetwork"
          },
          "ResourceType": "VPC",
          "TrafficType": "ALL",
          "LogDestinationType": "cloud-watch-logs",
          "LogGroupName": "cc-vpc-flow-logs-group",
          "DeliverLogsPermissionArn": "arn:aws:iam::123456789012:role/cc-flow-logs-iam-role"
        }
     }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Flow Logs for Amazon VPC Networks
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
  VPCFlowLog:
    Type: AWS::EC2::FlowLog
    Properties:
      ResourceId: !Ref 'AWSVPCNetwork'
      ResourceType: VPC
      TrafficType: ALL
      LogDestinationType: cloud-watch-logs
      LogGroupName: cc-vpc-flow-logs-group
      DeliverLogsPermissionArn: arn:aws:iam::123456789012:role/cc-flow-logs-iam-role

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"
}

# Enable Flow Logs for Amazon VPC Networks
resource "aws_flow_log" "vpc-flow-log" {
  vpc_id = aws_vpc.aws-vpc-network.id
  traffic_type = "ALL"
  log_destination_type = "cloud-watch-logs"
  log_destination = "arn:aws:logs:us-east-1:123456789012:log-group:cc-vpc-flow-logs-group:*"
  iam_role_arn = "arn:aws:iam::123456789012:role/cc-flow-logs-iam-role"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Roles.

04 Click on the Create role button from the console top menu to create the IAM role that has permission to publish to Amazon CloudWatch Logs.

  1. On the Select type of trusted entity page, perform the following actions:
    • Select the AWS service category.
    • For Choose a use case, select the EC2 – Allows EC2 instances to call AWS services on your behalf use case. Choose Next: Permissions to continue the setup process.
  2. On the Attach permissions policies page, choose Create policy, select the JSON tab, and paste the following policy document into the editor box. Choose Next: Tags, configure policy tags (optional), choose Next: Review, provide a unique name and a description for the new policy, and choose Create policy to create the required IAM policy:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
    }
    
  3. Navigate back to the IAM role setup page, refresh the policies list and select the custom policy created at the previous step. Choose Next: Tags to continue.
  4. On the Add tags (optional) page, use the configuration controls to create and apply tags to the new IAM role. You can use the tags to organize, track, or control access for your role. Choose Next: Review to continue.
  5. On the Review page, provide a unique name for your role in the Role name box, enter a short description (optional), review the resource configuration information, and choose Create role to create your new IAM role.

05 Click on the name (link) of the newly created IAM role.

06 Select the Trust relationships tab and choose Edit trust relationship.

07 Paste the following policy document into the editor box and choose Update Trust Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

08 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

09 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Your VPCs.

10 Select the Virtual Private Cloud (VPC) that you want to access.

11 Select the Flow logs tab from the console bottom panel and choose Create flow log.

12 On the Create flow log setup page, provide the following information:

  1. (Optional) Type a unique name for your new log in the Name – optional box.
  2. For Filter, select the filter that describes the type of traffic to be logged: accepted, rejected, or all traffic.
  3. For Maximum aggregation interval, choose the maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
  4. For Destination, choose the destination to which to publish the flow log data. Select Send to CloudWatch Logs to publish the flow log data to Amazon CloudWatch Logs.
  5. For Destination log group, select the name of the Amazon CloudWatch log group to which the flow log is published.
  6. For IAM role, select the IAM role created earlier in the Remediation process.
  7. For Log record format, specify the fields to include in the flow log record. Select AWS default format to use the default log format provided by AWS.
  8. (Optional) In the Tags section, use the configuration controls to create and apply tags to the new log.
  9. Choose Create flow log to enable the Flow Logs feature for the selected VPC network.

13 Repeat steps no. 10 – 12 for each Virtual Private Cloud (VPC) created within the current AWS region.

14 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Define the trust relationship policy for the required IAM role. Paste the following policy document to a JSON file named cc-iam-role-trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) using the trust relationship policy defined at the previous step, to create the IAM role that has permission to publish Flow Logs to Amazon CloudWatch Logs:

aws iam create-role
  --role-name cc-flow-logs-iam-role
  --assume-role-policy-document file://cc-iam-role-trust-policy.json

03 The command output should return the metadata available for the new IAM role:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "vpc-flow-logs.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AAAABBBBCCCCDDDDEEEE",
        "CreateDate": "2021-01-25T10:00:00Z",
        "RoleName": "cc-flow-logs-iam-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-flow-logs-iam-role"
    }
}

04 Define the permissions to publish Flow Logs to Amazon CloudWatch Logs. To create the required IAM role policy, paste the following information into a new policy document named cc-iam-role-publish-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

05 Run put-role-policy command (OSX/Linux/UNIX) to attach the IAM policy defined at the previous step to the newly created IAM role (the command does not produce an output):

aws iam put-role-policy
  --role-name cc-flow-logs-iam-role
  --policy-name cc-flow-logs-publish-policy
  --policy-document file://cc-iam-role-publish-policy.json

06 Run create-flow-logs command (OSX/Linux/UNIX) to enable the Flow Logs feature for the selected VPC network by creating a new flow log. The following example creates a flow log that captures all traffic for a VPC network with the ID "vpc-abcd1234". The flow logs are delivered to a CloudWatch Logs log group named "cc-vpc-flow-logs-group", using an IAM role identified by the ARN "arn:aws:iam::123456789012:role/cc-flow-logs-iam-role":

aws ec2 create-flow-logs
  --region us-east-1
  --resource-type VPC
  --resource-ids vpc-abcd1234
  --log-group-name cc-vpc-flow-logs-group
  --deliver-logs-permission-arn arn:aws:iam::123456789012:role/cc-flow-logs-iam-role
  --traffic-type ALL

07 The command output should return the metadata available for the new flow log:

{
  "Unsuccessful": [],
  "FlowLogIds": [
      "fl-aabbccdd"
  ],
  "ClientToken": "/AAAABBBBCCCC/AAAA/AAAABBBBCCCCDDDDEEEE"
}

08 Repeat steps no. 6 and 7 for each Virtual Private Cloud (VPC) created in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 8, 2016