AWSOverview
VPC Flow Logs capture network metadata that is essential for incident response and threat hunting.
Why this matters
Without Flow Logs, you have reduced visibility into suspicious east-west and north-south traffic patterns.
What this control should detect
Production VPCs that do not have VPC Flow Logs enabled to a central logging destination.
Remediation guidance
AWS Remediation
Service-Wide (Recommended)
Enable organization-level guardrails requiring VPC Flow Logs for all production VPCs and account onboarding pipelines.
Console (Asset-Level)
- Open Amazon VPC Console.
- Select the affected VPC.
- Go to Flow logs and choose Create flow log.
- Send logs to CloudWatch Logs or S3 and set required IAM role.
- Save and verify log delivery.
AWS CLI (Asset-Level)
aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn>
References
- https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Query logic
These are the stored checks tied to this control.
VPCs without flow logs
Connectors
AWS
Covered asset types
VPC
Expected check: eq []
{ vpcs(where: { cloudProvider: "aws", OR: [{ hasFlowLog: null }, { hasFlowLog_NONE: { flowLogStatus: "ACTIVE" } }] }) { ...AssetFragment } }
