Remediation
Using AWS CloudFormationβ
- CloudFormation template (YAML):
Note: The IAM role used in DeliverLogsPermissionArn must exist before deploying this template.
AWSTemplateFormatVersion: '2010-09-09'
Description: Enables flow logging for rejected traffic on a specified VPC, publishing to CloudWatch Logs.
Parameters:
VPCId:
Type: String
Description: ID of the existing VPC
LogGroupName:
Type: String
Default: /vpc/flow-logs
FlowLogRoleArn:
Type: String
Description: >
ARN of an existing IAM role that grants permission to publish flow logs to CloudWatch Logs.
Resources:
VPCFlowLog:
Type: AWS::EC2::FlowLog
Properties:
ResourceId: !Ref VPCId
ResourceType: VPC
TrafficType: REJECT
DeliverLogsPermissionArn: !Ref FlowLogRoleArn
LogGroupName: !Ref LogGroupName
LogDestinationType: cloud-watch-logs
From Consoleβ
- Sign in to the AWS Management Console.
- Select
Services, thenVPC. - In the left navigation pane, select
Your VPCs. - Select a VPC.
- In the right pane, select the
Flow Logstab. - If no flow log exists, click
Create Flow Log. - For
Filter, selectReject. - Enter a
RoleandDestination Log Group. - Click
Create flow log. - Click
CloudWatch Logs Group.
Note: Setting the filter to Reject will significantly reduce log volume while still providing sufficient information for breach detection, investigation, and remediation. During periods of least-privilege security group engineering, setting the filter to All can be helpful in discovering existing traffic flows required for proper operation of a running environment.
From Command Lineβ
-
Create a policy document and name it as
role_policy_document.jsonand paste the following content:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "test",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
} -
Create another policy document and name it as
iam_policy.jsonand paste the following content:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
]
} -
Run the following command to create an IAM role:
aws iam create-role \
--role-name {{aws_support_iam_role}} \
--assume-role-policy-document file://{{file-path}}role_policy_document.json -
Run the following command to create an IAM policy:
aws iam create-policy --policy-name {{ami-policy-name}} --policy-document file://{{file-path}}iam-policy.json -
Run the
attach-group-policycommand, using the IAM policy ARN returned in the previous step, to attach the policy to the IAM role (if the command succeeds, no output is returned):aws iam attach-group-policy \
--policy-arn arn:aws:iam::{{aws-account-id}}:policy/{{iam-policy-name}} \
--group-name {{group-name}}- If the command succeeds, no output is returned.
-
Run
describe-vpcsto get the VPC ID available in the selected region:aws ec2 describe-vpcs --region {{region}}- The command output should return a list of VPCs in the selected region.
-
Run
create-flow-logsto create a flow log for the VPC:aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids {{vpc-id}} \
--traffic-type REJECT \
--log-group-name {{log-group-name}} \
--deliver-logs-permission-arn {{iam-role-arn}} -
Repeat step 7 for other VPCs available in the selected region.
-
Change the region by updating
--regionand repeat the remediation procedure for other VPCs.