Description
VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. After you create a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet rejects for VPCs.
Rationaleβ
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or support security investigations.
Impactβ
By default, CloudWatch Logs stores logs indefinitely unless a specific retention period is defined for the log group. When choosing a retention period, keep in mind that the average time to detect a breach is 210 days (at the time of this writing). Because additional time is required to investigate a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive logs to a lower-cost storage service rather than deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:
Auditβ
Perform the following to determine if VPC Flow Logs are enabled:
From Consoleβ
- Sign in to the management console.
- Select
ServicesthenVPC. - In the left navigation pane, select
Your VPCs. - Select a VPC.
- In the right pane, select the
Flow Logstab. - Ensure a flow log exists that has
Activein theStatuscolumn.
From Command Lineβ
-
Run
describe-vpcscommand to list the VPC networks available in the current AWS region:aws ec2 describe-vpcs --region <region> --query Vpcs[].VpcId -
The command output returns the
VpcIdavailable in the selected region. -
Run
describe-flow-logscommand using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled:aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc-id>" -
If there are no Flow Logs created for the selected VPC, the command output will return an
empty list []. -
Repeat step 3 for other VPCs available in the same region.
-
Change the region by updating
--regionand repeat steps 1-5 for all VPCs.