Rule Description:
VPC flow logs should be enabled for compliance with NIST 800-171 Revision 2. VPC flow logs capture all network traffic metadata within a Virtual Private Cloud (VPC). This helps organizations to meet the security requirements outlined in NIST 800-171 Revision 2, which provides guidelines for protecting Controlled Unclassified Information (CUI) in nonfederal systems.
When VPC flow logs are enabled, they provide detailed information about the traffic flowing in and out of the VPC, including source and destination IP addresses, ports, protocols, packet sizes, and timestamps. This data can be analyzed to detect and investigate security incidents, monitor network activities, and support security audits.
Troubleshooting Steps:
If VPC flow logs are not enabled or there are issues with their configuration, refer to the following troubleshooting steps:
- 1.
Check VPC flow log settings: Verify if VPC flow logs are enabled and properly configured for the desired VPC. Ensure that an IAM role with necessary permissions is associated with the flow logs.
- 2.
Verify log delivery: Ensure that the flow logs are being delivered to the selected destination, such as Amazon S3 or CloudWatch Logs. Check the S3 bucket or CloudWatch Logs group for the presence of log files.
- 3.
Review IAM permissions: Confirm that the IAM role associated with the VPC flow logs has the necessary permissions. It should have access to write logs to the selected S3 bucket or CloudWatch Logs group, depending on the chosen destination.
- 4.
Check network ACL rules: Verify network ACLs for any potential rules that may block or affect the delivery of VPC flow logs. Ensure that there are no restrictive outbound rules blocking the flow log traffic.
- 5.
Inspect subnet associations: Verify that the VPC flow logs are associated with the desired subnets within the VPC. If they are not associated correctly, logs may not capture all the relevant traffic.
- 6.
Review log retention settings: Ensure that the retention period for VPC flow logs is appropriately configured based on compliance requirements. Adjust the retention period if necessary.
Code:
No specific code is required for enabling VPC flow logs as it can be done through the AWS Management Console, AWS CLI, or AWS SDKs. However, the following example shows the AWS CLI command to enable VPC flow logs for a VPC:
aws ec2 create-flow-logs --resource-ids <vpc-id> --resource-type VPC --traffic-type ALL --log-group-name <log-group-name> --deliver-logs-permission-arn <IAM-role-ARN>
Replace
<vpc-id>
with the ID of the target VPC,
<log-group-name>
with the desired name for the CloudWatch Logs group, and
<IAM-role-ARN>
with the ARN of the IAM role associated with the flow logs.
Remediation Steps:
To enable VPC flow logs for NIST 800-171 Revision 2 compliance, follow these steps:
- 1.
Identify the target VPC: Determine the VPC for which you want to enable flow logs. Note down the VPC ID.
- 2.
Choose a log destination: Decide whether you want to store the flow logs in an S3 bucket or a CloudWatch Logs group. This may depend on your specific requirements.
- 3.
Create an IAM role: If an IAM role does not already exist, create a new one with the necessary permissions for delivering logs to the chosen destination. Ensure that the IAM role has the appropriate permissions to write logs to the selected S3 bucket or CloudWatch Logs group.
- 4.
Enable VPC flow logs: Use the AWS Management Console, AWS CLI, or SDKs to enable flow logs for the target VPC. Specify the VPC ID, desired traffic type, log destination, and IAM role on the respective platform.
- 5.
Verify flow log configuration: Confirm that the flow logs are successfully enabled for the VPC. Check the log destination (S3 bucket or CloudWatch Logs group) to ensure that logs are being delivered and are accessible for analysis.
- 6.
Establish log retention period: Adjust the retention period for the flow logs based on your compliance requirements. Ensure that log retention meets the specifications outlined in NIST 800-171 Revision 2.
- 7.
Regularly review and analyze logs: Continuously monitor, review, and analyze the VPC flow logs to detect any security incidents, identify abnormal traffic patterns, and ensure compliance with NIST 800-171 Revision 2 requirements.
By following these steps, organizations can enable VPC flow logs for compliance with NIST 800-171 Revision 2 and gain better visibility into network traffic within their Virtual Private Cloud.