Skip to content

AWS VPC Flow logs not enabled

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC.

We recommend that VPC Flow Logs are enabled for packet Rejects for VPCs to help detect anomalous traffic and insight during security workflows.

Fix - Runtime

AWS Console

To determine if the VPC Flow logs is enabled, follow these steps:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/]
  2. Select Services.
  3. Select VPC.
  4. In the left navigation pane, select Your VPCs.
  5. Select a VPC.
  6. In the right pane, select the Flow Logs tab.
  7. If no Flow Log exists, click Create Flow Log.
  8. Set Filter to Reject.
  9. Enter a Role and Destination Log Group.
  10. Click Create Log Flow.
  11. Click CloudWatch Logs Group.

Fix - Buildtime

Terraform

  • Resources: aws_flow_log + aws_vpc
  • Argument: vpc_id (of aws_flow_log)
resource "aws_flow_log" "example" {
  iam_role_arn    = "arn"
  log_destination = "log"
  traffic_type    = "ALL"
+ vpc_id          = aws_vpc.ok_vpc.id
}

resource "aws_vpc" "ok_vpc" {
  cidr_block = "10.0.0.0/16"
}