Detections
Analytics

3.7 Ensure VPC flow logging is enabled in all VPCs

Information

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or gain insights during security workflows.

Solution

Perform the following to enable VPC Flow Logs:

From Console:

 - Sign into the management console.
 - Select Services then select VPC
 - In the left navigation pane, select Your VPCs
 - Select a VPC.
 - In the right pane, select the Flow Logs tab.
 - If no Flow Log exists, click Create Flow Log
 - For Filter, select Reject
 - Enter a Role and Destination Log Group
 - Click Create Log Flow
 - Click on CloudWatch Logs Group

Note: Setting the filter to "Reject" will dramatically reduce the accumulation of logging data for this recommendation and provide sufficient information for the purposes of breach detection, research, and remediation. However, during periods of least privilege security group engineering, setting the filter to "All" can be very helpful in discovering existing traffic flows required for the proper operation of an already running environment.

From Command Line:

 - Create a policy document, name it role_policy_document.json and paste the following content:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "test",
 "Effect": "Allow",
 "Principal": {
 "Service": "ec2.amazonaws.com"
 },
 "Action": "sts:AssumeRole"
 }
 ]
} <xhtml:ol start="2"> - Create another policy document, name it iam_policy.json and paste the following content:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action":[
 "logs:CreateLogGroup",
 "logs:CreateLogStream",
 "logs:DescribeLogGroups",
 "logs:DescribeLogStreams",
 "logs:PutLogEvents",
 "logs:GetLogEvents",
 "logs:FilterLogEvents"
 ],
 "Resource": "*"
 }
 ]
} <xhtml:ol start="3"> - Run the following command to create an IAM role:

aws iam create-role --role-name <aws-support-iam-role> --assume-role-policy-document file://<file-path>role_policy_document.json <xhtml:ol start="4"> - Run the following command to create an IAM policy:

aws iam create-policy --policy-name <iam-policy-name> --policy-document file://<file-path>iam-policy.json <xhtml:ol start="5"> - Run the attach-group-policy command, using the IAM policy ARN returned from the previous step to attach the policy to the IAM role:

aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> --group-name <group-name>
 - If the command succeeds, no output is returned.

<xhtml:ol start="6"> - Run the describe-vpcs command to get a list of VPCs in the selected region:

aws ec2 describe-vpcs --region <region>
 - The command output should return a list of VPCs in the selected region.

<xhtml:ol start="7"> - Run the create-flow-logs command to create a flow log for a VPC:

aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type REJECT --log-group-name <log-group-name> --deliver-logs-permission-arn <iam-role-arn> <xhtml:ol start="8"> - Repeat step 7 for other VPCs in the selected region.
 - Change the region by updating --region, and repeat the remediation procedure for each region.

Impact:

By default, CloudWatch Logs will store logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind that the average time it takes for an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum retention policy of 365 days allows for detection and investigation. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:

 -

https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html

See Also

https://workbench.cisecurity.org/benchmarks/19631

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, 800-53|SI-4, 800-53|SI-4(4), CSCv7|6.2, CSCv7|12.5

Plugin: amazon_aws

Control ID: a97e9c3a03cac33473a843483714f8d259eb30d006b5db6b1da4ea8bf60e39c8