Enable VPC Flow Logs Rule
This rule ensures VPC flow logs are enabled on the network for improved security and monitoring.
| Rule | VPC flow logs should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Ensuring VPC Flow Logs are Enabled for NIST 800-53 Revision 5 Compliance
VPC Flow Logs are a feature that allows you to capture information about the IP traffic going to and from network interfaces in your Virtual Private Cloud (VPC). Enabling VPC Flow Logs is a critical aspect of monitoring network traffic to ensure the compliance with the NIST 800-53 Revision 5 security and privacy framework.
NIST 800-53 Revision 5 requires organizations to continuously monitor, log, and analyze the security state of their information systems. Without enabling flow logs, an organization may not capture sufficient information needed for auditing and cannot ensure accountability or investigate security incidents efficiently.
Rule Description
According to NIST 800-53 Revision 5, the relevant control enhancement is:
- AU-12 (1): Audit Generation | Traffic / Data Content
- SI-4 (2): Information System Monitoring | Flow Records
- RA-5 (5): Vulnerability Scanning | Privileged Access
These controls recommend the collection and analysis of flow logs to detect unusual or unauthorized activities indicating potential security incidents within the cloud environment.
Troubleshooting Steps if Logs Aren't Enabled
- 1.
Check whether VPC flow logs have been enabled:
- Navigate to the Amazon VPC console.
- Select your VPC.
- Check the "Flow Logs" tab for any existing logs.
- 2.
Verify permissions:
- Ensure your IAM user has the required permissions (
,ec2:CreateFlowLogs
,iam:CreateRole
).iam:CreatePolicy
- 3.
Consult CloudWatch Logs:
- If flow logs are enabled but not appearing, confirm that the correct IAM role and permissions are assigned to publish logs to CloudWatch.
Necessary Codes to Enable VPC Flow Logs
AWS CLI Command to Enable Flow Logs
aws ec2 create-flow-logs \ --resource-type VPC \ --resource-ids vpc-xxxxxxxxxxxxxxxxx \ --traffic-type ALL \ --log-destination-type cloud-watch-logs \ --log-destination arn:aws:logs:region:account-id:log-group:log-group-name \ --deliver-logs-permission-arn arn:aws:iam::account-id:role/policy-name \ --max-aggregation-interval 60
Replace
vpc-xxxxxxxxxxxxxxxxxregionaccount-idlog-group-namepolicy-nameTerraform Example to Enable Flow Logs
resource "aws_flow_log" "example" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.example.arn
traffic_type = "ALL"
vpc_id = aws_vpc.example.id
}
Make sure to define the
aws_cloudwatch_log_groupaws_iam_roleaws_vpcStep by Step Guide for Remediation
- 1.Log in to AWS Management Console.
- 2.Navigate to the VPC Dashboard.
- 3.Select the target VPC.
- 4.Click on the "Actions" dropdown and select "Create flow log."
- 5.Specify the desired configuration for the flow log:
- Filter: Choose "All" to log all traffic.
- Destination log group: Specify or create a new CloudWatch Logs group.
- IAM Role: Create or select an IAM role with the required permissions.
- 6.Click "Create."
Alternatively, you can use AWS CLI or infrastructure as code tools like Terraform or AWS CloudFormation for automation purposes.
Ensuring that VPC flow logs are enabled is an aspect of a robust cloud security posture. By following the detailed guidelines provided, organizations can achieve and maintain compliance with NIST 800-53 Revision 5 standards, enhancing the security and integrity of their cloud environments.