VPC Flow Logs Enabled Rule
This rule requires enabling VPC flow logs to ensure system and information integrity.
| Rule | VPC flow logs should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
This rule requires the enablement of VPC flow logs for compliance with NIST 800-171 Revision 2. VPC flow logs capture information about the IP traffic going to and from your VPC, including the source and destination IP addresses, ports, traffic direction, and more. Enabling VPC flow logs provides valuable visibility and helps in detecting and analyzing potential security issues.
Troubleshooting Steps (if applicable)
- 1.
Verify VPC flow logs feature availability: Check if you are using a supported AWS region and VPC type. Some regions and VPC types may not support VPC flow logs.
- 2.
Check IAM permissions: Ensure that you have the necessary IAM permissions to enable and create VPC flow logs. Required permissions include
,ec2:CreateFlowLogs
, andec2:DescribeFlowLogs
among others.logs:CreateLogGroup - 3.
VPC flow logs delivery failure: If you discover that flow logs are not being delivered to the specified destination (e.g., S3 bucket or CloudWatch Logs), verify the destination configuration and associated permissions.
- 4.
Log group creation issue: In case you encounter any issues creating the required CloudWatch Logs log group, verify the log group name and permissions. Check if you have the necessary IAM permissions to create log groups.
Required Codes (if applicable)
There are no specific codes required to enable VPC flow logs explicitly. However, you will need the AWS Command Line Interface (CLI) to execute commands for enabling and managing flow logs. Install the AWS CLI and configure the appropriate IAM credentials to proceed with the following steps.
Step-by-Step Guide
Please follow the step-by-step guide below to enable VPC flow logs:
1. Identify the target VPC
Identify the VPC for which you want to enable flow logs. Note down the VPC ID for future reference.
2. Choose a destination for flow logs
Decide on a destination for your flow logs. You can choose between Amazon S3 or CloudWatch Logs as the storage location.
Amazon S3: You need to create an S3 bucket to store the flow logs. Note down the bucket name for later use.
CloudWatch Logs: You need to create a CloudWatch log group to store the flow logs. Note down the log group name for later use.
3. Enable VPC flow logs
Execute the following command to enable flow logs for the chosen VPC. Replace "vpc-12345678" with the actual VPC ID.
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --traffic-type ALL --log-destination-type [s3|cloud-watch-logs] --log-group-name [log-group-name] --deliver-logs-permission-arn [optional] --destination [bucket-name|log-group-name]
Replace the following placeholders with your chosen options:
: Specify the chosen destination type.[s3|cloud-watch-logs]
: Specify the chosen log group name if using CloudWatch Logs.[log-group-name]
: Specify the chosen bucket name if using Amazon S3.[bucket-name]
4. Verify flow log creation
Execute the following command to verify if the flow logs were created successfully:
aws ec2 describe-flow-logs
This command will provide detailed information about the flow logs in your AWS account.
Summary
Enabling VPC flow logs is a critical step in ensuring compliance with NIST 800-171 Revision 2. Following the provided step-by-step guide, you can easily enable flow logs for your chosen VPC and configure the destination as either Amazon S3 or CloudWatch Logs. Regularly reviewing the flow logs will help you monitor and identify potential security threats to your VPC.