Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Flow Logs Should Be Enabled

This rule ensures VPC flow logs are enabled for enhanced security measures within the infrastructure.

RuleVPC flow logs should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

VPC flow logs should be enabled for NIST 800-53 Revision 5 compliance. VPC flow logs provide visibility into the network traffic within your Amazon Virtual Private Cloud (VPC). Enabling VPC flow logs is an important security measure to monitor and analyze network traffic for detecting potential security threats, troubleshooting network connectivity issues, and complying with security standards like NIST 800-53 Revision 5.

Troubleshooting Steps:

If VPC flow logs are not enabled or are not generating logs as expected, follow the troubleshooting steps below:

  2. 1.

    Ensure IAM Role: Confirm that the IAM role associated with your VPC flow logs has the necessary permissions to write logs to the chosen log destination, such as Amazon CloudWatch Logs.

  4. 2.

    Verify Log Destination: Check if the log destination, such as CloudWatch Logs group or Amazon S3 bucket, is correctly configured and accessible. Ensure that the destination has sufficient permissions to receive and store the flow logs.

  6. 3.

    Check Resource Configuration: Validate that VPC flow logs are correctly configured for the desired VPC and network interfaces (ENIs). Ensure that an appropriate filter is applied to capture the required traffic.

  8. 4.

    Confirm VPC Flow Log Status: Check the status of VPC flow logs in the AWS Management Console or through the AWS CLI. If the status is not "Active," there may be a configuration or permission issue that needs to be addressed.

  10. 5.

    Review CloudWatch Logs: If sending logs to CloudWatch Logs, review the logs for any errors or anomalies. Check the log group and log stream for incoming flow log data.

  12. 6.

    Check VPC/Subnet/ENI Status: Ensure that the VPC, subnet, and network interfaces (ENIs) associated with the flow logs are in the "available" state. Check for any issues or errors reported by the VPC, subnet, or ENIs.

  14. 7.

    Enable Flow Logs on Affected Resources: If flow logs are not enabled on specific subnets or network interfaces, enable them using the AWS Management Console or AWS CLI.

Necessary Codes:

If VPC flow logs are not enabled or need to be reconfigured, use the following AWS CLI command:

aws ec2 create-flow-logs --resource-type <resource type> --resource-ids <resource IDs> --traffic-type <traffic type> --log-destination <log destination> --iam-role <IAM role ARN>

Replace the placeholders with the appropriate values:

  • <resource type>
    : The type of resource for which you want to enable flow logs, such as "VPC" or "Subnet".
  • <resource IDs>
    : The ID(s) of the resource(s) for which you want to enable flow logs.
  • <traffic type>
    : The type of traffic to capture in the flow logs, such as "ACCEPT" or "REJECT".
  • <log destination>
    : The destination where flow logs should be stored, such as a CloudWatch Logs group ARN or an S3 bucket ARN.
  • <IAM role ARN>
    : The ARN of the IAM role that should have permission to publish flow logs.

Step-by-Step Guide for Remediation:

To enable VPC flow logs for NIST 800-53 Revision 5 compliance, follow these steps:

  2. 1.

    Open the AWS Management Console and navigate to the VPC service.

  4. 2.

    Select the desired VPC or subnet for enabling flow logs.

  6. 3.

    Click on the "Flow Logs" tab.

  8. 4.

    Click on the "Create Flow Log" button.

  10. 5.

    Configure the following settings based on your requirements:

    • Resource Type: Choose the appropriate resource type, either "VPC," "Subnet," or "ENI."
    • Resources: Select the specific resource(s) for which you want to enable flow logs.
    • Traffic Type: Choose the type of traffic you want to capture, such as "ACCEPT" or "REJECT."
    • Filter: Optionally, specify a filter for more granular logging.
    • IAM Role: Select or create an IAM role that has permission to publish flow logs.
    • Destination: Choose the destination where flow logs should be stored, such as a CloudWatch Logs group or an S3 bucket.
  12. 6.

    Click on the "Create" button to enable VPC flow logs.

  14. 7.

    Verify the flow log status, ensuring it is "Active" within the desired time frame.

  16. 8.

    Review the flow logs either in CloudWatch Logs or the selected log destination to analyze network traffic and troubleshoot any issues.

By following these steps, you can enable VPC flow logs and ensure compliance with NIST 800-53 Revision 5 for your VPC.

Is your System Free of Underlying Vulnerabilities?
Find Out Now