Ensure AWS VPC Flow logs are enabled

Error: AWS VPC Flow logs not enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_9
Checkov Check ID: CKV2_AWS_11
Severity: MEDIUM

AWS VPC Flow logs not enabled

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC.

We recommend that VPC Flow Logs are enabled for packet Rejects for VPCs to help detect anomalous traffic and insight during security workflows.

Fix - Runtime

AWS Console

To determine if the VPC Flow logs is enabled, follow these steps:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/]
  2. Select Services.
  3. Select VPC.
  4. In the left navigation pane, select Your VPCs.
  5. Select a VPC.
  6. In the right pane, select the Flow Logs tab.
  7. If no Flow Log exists, click Create Flow Log.
  8. Set Filter to Reject.
  9. Enter a Role and Destination Log Group.
  10. Click Create Log Flow.
  11. Click CloudWatch Logs Group.

Fix - Buildtime

Terraform

  • Resources: aws_flow_log + aws_vpc
  • Argument: vpc_id (of aws_flow_log)
resource "aws_flow_log" "example" {
  iam_role_arn    = "arn"
  log_destination = "log"
  traffic_type    = "ALL"
+ vpc_id          = aws_vpc.ok_vpc.id
}

resource "aws_vpc" "ok_vpc" {
  cidr_block = "10.0.0.0/16"
}