Skip to main content

Remediation

Using AWS CloudFormation​

  • CloudFormation template (YAML):

Note: The IAM role used in DeliverLogsPermissionArn must exist before deploying this template.

AWSTemplateFormatVersion: '2010-09-09'
Description: Enables flow logging for rejected traffic on a specified VPC, publishing to CloudWatch Logs.

Parameters:
  VPCId:
    Type: String
    Description: ID of the existing VPC
  LogGroupName:
    Type: String
    Default: /vpc/flow-logs
  FlowLogRoleArn:
    Type: String
    Description: >
      ARN of an existing IAM role that grants permission to publish flow logs to CloudWatch Logs.

Resources:
  VPCFlowLog:
    Type: AWS::EC2::FlowLog
    Properties:
      ResourceId: !Ref VPCId
      ResourceType: VPC
      TrafficType: REJECT
      DeliverLogsPermissionArn: !Ref FlowLogRoleArn
      LogGroupName: !Ref LogGroupName
      LogDestinationType: cloud-watch-logs

From Console​

  1. Sign into the management console.
  2. Select Services then VPC.
  3. In the left navigation pane, select Your VPCs.
  4. Select a VPC.
  5. In the right pane, select the Flow Logs tab.
  6. If no Flow Log exists, click Create Flow Log.
  7. For Filter, select Reject.
  8. Enter in a Role and Destination Log Group.
  9. Click Create Log Flow.
  10. Click on CloudWatch Logs Group.

Note: Setting the filter to Reject will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to All can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.

From Command Line​

  1. Create a policy document and name it as role_policy_document.json and paste the following content:
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "test", 
            "Effect": "Allow", 
            "Principal": { 
                "Service": "ec2.amazonaws.com" 
            }, 
        "Action": "sts:AssumeRole" 
        } 
    ] 
}
  1. Create another policy document and name it as iam_policy.json and paste the following content:
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action":[ 
                "logs:CreateLogGroup", 
                "logs:CreateLogStream", 
                "logs:DescribeLogGroups", 
                "logs:DescribeLogStreams", 
                "logs:PutLogEvents", 
                "logs:GetLogEvents", 
                "logs:FilterLogEvents" 
            ], 
            "Resource": "*" 
        } 
    ] 
}
  1. Run the below command to create an IAM role:
aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file://<file-path>role_policy_document.json
  1. Run the below command to create an IAM policy:
aws iam create-policy --policy-name <ami-policy-name> --policy-document file://<file-path>iam-policy.json
  1. Run attach-group-policy command using the IAM policy ARN returned at the previous step to attach the policy to the IAM role (if the command succeeds, no output is returned):
aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name>
  • If the command succeeds, no output is returned.
  1. Run describe-vpcs to get the VpcId available in the selected region:
aws ec2 describe-vpcs --region <region>
  • The command output should return a list of VPCs in the selected region.
  1. Run create-flow-logs to create a flow log for the vpc:
aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn>
  1. Repeat step 7 for other vpcs available in the selected region.
  2. Change the region by updating --region and repeat remediation procedure for other vpcs.