AWSOverview
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
Rationale
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
Remediation guidance
Perform the following to determine if VPC Flow logs is enabled:
Via the Management Console
- Sign into the management console
- Select
ServicesthenVPC - In the left navigation pane, select
Your VPCs - Select a VPC
- In the right pane, select the
Flow Logstab. - If no Flow Log exists, click
Create Flow Log ForFilter, selectReject- Enter in a
RoleandDestination Log Group - Click
Create Log Flow - Click on
CloudWatch Logs Group
Note Setting the filter to "Reject" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to "All" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.
Impact
By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html
References
- CCE-79202-8
- CIS CSC v6.0 #6.5, #12.9
- https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
Notes
Changed title from
"Ensure VPC flow logging is enabled in all applicable regions"
to
"Ensure VPC flow logging is enabled in all VPCs"
For these reasons:
- Flow logs cannot be enabled for regions, only for VPCs
- The statement did not define an "Applicable Region" and did not clarify "all VPCs in applicable regions"
- All other benchmark recommendations appear to assume that you apply them "any actively used configuration or resource" or "All resources" - so specifying "applicable" to mean "active" or "compliant with the benchmark" seems unnecessary.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}
