Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure VPC flow logging Rule

This rule ensures VPC flow logging is enabled in all VPCs.

RuleEnsure VPC flow logging is enabled in all VPCs
Frameworkcis_v140
Severity
Critical

Rule Details

Rule Name: Enable VPC Flow Logging for cis_v140

Description: VPC flow logging allows you to capture information about the IP traffic going to and from network interfaces in your VPC. This rule ensures that VPC flow logging is enabled for all VPCs in compliance with the cis_v140 security benchmark.

This rule is implemented to enhance the visibility of network traffic within AWS VPCs and improve security by logging all network traffic information.

Troubleshooting Steps

  2. 1.

    Check if the VPC flow logs are enabled:

    • Go to the AWS Management Console.
    • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
    • Navigate to the "Flow Logs" section.
    • Verify if there are any flow logs configured for the VPCs.
  4. 2.

    Verify IAM permissions:

    • Ensure that the IAM user/role accessing the VPC has the necessary permissions to enable flow logs. The required permissions are: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowVPCFlowLogs",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateFlowLogs",
        "ec2:DescribeFlowLogs"
      ],
      "Resource": "*"
    }
  ]
}
  6. 3.

    Check VPC settings:

    • Confirm if any VPCs are missing flow logs.
    • Ensure that all VPCs have flow logs enabled with the appropriate configurations.

Code Examples

Python Boto 3 SDK:

import boto3

ec2_client = boto3.client('ec2')

def enable_flow_logs(vpc_id):
    response = ec2_client.create_flow_logs(
        ResourceIds=[vpc_id],
        ResourceType='VPC',
        TrafficType='ALL',
        LogDestinationType='cloud-watch-logs',
        LogDestination='arn:aws:logs:region:account-id:log-group:log-group-name',
        DeliverLogsPermissionArn='arn:aws:iam::account-id:role/role-name'
    )
    print(response)

# Usage
vpc_id = 'your-vpc-id'
enable_flow_logs(vpc_id)

AWS CLI:

aws ec2 create-flow-logs --resource-type VPC --resource-ids your-vpc-id --traffic-type ALL --log-destination-type cloud-watch-logs --log-destination 'arn:aws:logs:region:account-id:log-group:log-group-name' --deliver-logs-permission-arn 'arn:aws:iam::account-id:role/role-name'

Remediation Steps

To enable VPC flow logging for cis_v140, follow the step-by-step guide:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  6. 3.
    Navigate to the "Flow Logs" section.
  8. 4.
    Check if flow logs are enabled for all VPCs.
    • If flow logs are missing, proceed to the next step.
    • If all VPCs have flow logs enabled, no further action is required.
  10. 5.
    Click on the "Create Flow Log" button.
  12. 6.
    Select the desired VPC from the dropdown menu.
  14. 7.
    Choose the appropriate settings for Traffic Type, Log Destination Type, and Log Destination.
    • Traffic Type: Select "ALL" to log all traffic or choose a specific type if desired.
    • Log Destination Type: Select "CloudWatch Logs" to deliver logs to CloudWatch Logs.
    • Log Destination: Choose the appropriate CloudWatch Logs group.
  16. 8.
    Provide the necessary IAM role ARN for "Deliver Logs Permission ARN".
  18. 9.
    Click on the "Create" button to enable flow logs for the selected VPC.
  20. 10.
    Repeat these steps for any additional VPCs that require flow logs.

Ensure that flow logs are configured and enabled for all VPCs in compliance with the cis_v140 security benchmark.

Is your System Free of Underlying Vulnerabilities?
Find Out Now