Skip to main content

πŸ“ AWS VPC Flow Logs are not enabled 🟒

  • Contextual name: πŸ“ Flow Logs are not enabled 🟒
  • ID: /ce/ca/aws/vpc/flow-logs
  • Located in: πŸ“ AWS VPC

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-9c0416671

Logic​

Description​

Open File

Description​

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

Rationale​

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

Impact​

By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:

... see more

Remediation​

Open File

Remediation​

Perform the following to determine if VPC Flow logs is enabled:

From Console​

  1. Sign into the management console.
  2. Select Services then VPC.
  3. In the left navigation pane, select Your VPCs.
  4. Select a VPC.
  5. In the right pane, select the Flow Logs tab.
  6. If no Flow Log exists, click Create Flow Log.
  7. For Filter, select Reject.
  8. Enter in a Role and Destination Log Group.
  9. Click Create Log Flow.
  10. Click on CloudWatch Logs Group.

Note: Setting the filter to Reject will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to All can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.

From Command Line​

  1. Create a policy document and name it as role_policy_document.json and paste the following content:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16f information security reporting and analytics;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36j monitoring controls β€” for timely detection of compromises to information security;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό e. use of, and access to, information assets is attributable to an individual, hardware or software, and activity logged and monitored;22
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.6] VPC flow logging should be enabled in all VPCs11
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.9 Ensure VPC flow logging is enabled in all VPCs11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.9 Ensure VPC flow logging is enabled in all VPCs11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.9 Ensure VPC flow logging is enabled in all VPCs11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.9 Ensure VPC flow logging is enabled in all VPCs - Level 2 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.9 Ensure VPC flow logging is enabled in all VPCs - Level 2 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.7 Ensure VPC flow logging is enabled in all VPCs - Level 2 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.7 Ensure VPC flow logging is enabled in all VPCs (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.7 Ensure VPC flow logging is enabled in all VPCs (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.7 Ensure VPC flow logging is enabled in all VPCs (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)723
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)120
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62126
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(4) Central Review and Analysis (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1719
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)28
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)421
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(1) System-wide Intrusion Detection System (M)(H)11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)79
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)6
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)6
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)19
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)120
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)226
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)19
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)28
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)217
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4(1) System-wide Intrusion Detection System (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)9
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.1 Event logging1618
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1920
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities66
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.20 Networks security55
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1928
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2124
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1923
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1619
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1720
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria2023
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events27
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated22
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-2 AUDIT EVENTS423
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(26) Information Flow Enforcement _ Audit Filtering Actions7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1516
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging46
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31320
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring68
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81521
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4(4) System Monitoring _ Inbound and Outbound Communications Traffic22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events6
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.3.3 Date and time.1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.3.4 Success or failure indication.1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.3.5 Origination of event.1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.3.6 Identity or name of affected data, system component, or resource.1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.1