Skip to main content

lacework-global-79

3.9 Enable Virtual Private Cloud (VPC) flow logging in all VPCs (Automated)

Profile Applicability

• Level 2

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Best practices recommend enabling packet "Rejects" on VPC Flow Logs for VPCs.

Rationale

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

Impact

By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:

  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html

Audit

Perform the following to determine if VPC Flow logs is enabled:

From Console

  1. Sign into the management console
  2. Select Services then VPC
  3. In the left navigation pane, select Your VPCs
  4. Select a VPC
  5. In the right pane, select the Flow Logs tab.
  6. Ensure a Log Flow exists that has Active in the Status column.

Remediation

Perform the following to determine VPC Flow logs status:

From Console

  1. Sign into the management console.
  2. Select Services then VPC.
  3. In the left navigation pane, select Your VPCs.
  4. Select a VPC.
  5. In the right pane, select the Flow Logs tab.
  6. If no Flow Log exists, click Create Flow Log.
  7. For Filter, select Reject.
  8. Enter in a Role and Destination Log Group.
  9. Click Create Log Flow.
  10. Click CloudWatch Logs Group.
note

Setting the filter to "Reject" dramatically reduces the logging data accumulation for this recommendation and provides sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to "All" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.

References

CCE-79202-8
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

Last updated on