Ensure that the VPC Flow Logs feature is enabled within your AWS account. Once enabled, Amazon VPC Flow Logs will start collecting network traffic data to and from your VPC network, data that can be useful to detect and troubleshoot security issues and make sure that your network access rules are not overly permissive.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Enabling VPC Flow Logs will help you to detect security and access issues like overly permissive security groups and Network ACLs (NACLs), and alert abnormal activities triggered within your Virtual Private Cloud (VPC), such as rejected connection requests or unusual levels of data transfer.
Note: Amazon CloudWatch Logs charges apply when using Flow Logs feature, whether you send them to CloudWatch Logs or to Amazon S3.
Audit
To determine if the Flow Logs feature is enabled for your VPC networks, perform the following operations:
Remediation / Resolution
To enable the Flow Logs feature for your Amazon VPC networks, perform the following operations:
Note: As an example, this conformity rule demonstrates how to configure VPC Flow Logs to publish the flow log data to Amazon CloudWatch Logs.References
- AWS Documentation
- Amazon VPC FAQs
- Logging IP traffic using VPC Flow Logs
- Creating IAM Roles
- Creating a role to delegate permissions to an AWS service
- Policies and permissions in IAM
- What is Amazon CloudWatch Logs?
- Working with log groups and log streams
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-vpcs
- describe-flow-logs
- create-flow-logs
- iam
- create-role
- put-role-policy
- CloudFormation Documentation
- AWS::EC2::FlowLog
- Terraform Documentation
- AWS Provider