Ensure VPC Flow Logs are enabled for production VPCs

AWS Remediation

Service-wide fix (recommended): require Flow Logs in every production VPC through landing-zone templates and account onboarding, then remediate the existing VPCs that are already deployed.

When to use service-wide remediation

Use the service-wide path when many VPCs are affected. Flow Logs are easiest to standardize at VPC creation time, with a central CloudWatch Logs group or S3 destination.

Console

1. Open the Amazon VPC console.
2. Select the affected VPC.
3. Open the Flow logs tab and choose Create flow log.
4. Select All traffic unless your policy explicitly wants a narrower filter.
5. Choose the destination type: CloudWatch Logs or Amazon S3.
6. If you use CloudWatch Logs, select an IAM role that allows delivery.
7. Save and confirm the flow log becomes active.

AWS CLI

Send Flow Logs to CloudWatch Logs:

aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids <vpc-id> \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name <log-group-name> \
  --deliver-logs-permission-arn <iam-role-arn>

Send Flow Logs to S3:

aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids <vpc-id> \
  --traffic-type ALL \
  --log-destination-type s3 \
  --log-destination arn:aws:s3:::<bucket-name>/<optional-prefix>

Validate the result:

aws ec2 describe-flow-logs \
  --filter Name=resource-id,Values=<vpc-id>

Operational notes

• Use a central logging account or approved logging bucket if your environment is multi-account.
• Make sure the destination bucket policy or CloudWatch Logs role allows log delivery.
• Flow Logs are not a packet capture. They provide network metadata that is useful for threat hunting, incident response, and troubleshooting.

References

• https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
• https://docs.aws.amazon.com/cli/latest/reference/ec2/create-flow-logs.html