AWS-VPC-flow-logging-enable-in-all-VPCs

Severity: Medium

Description: This controls ensures that VPC flow logging is enabled in all VPCs. Flow log enables to capture information about the IP traffic going to and from network interfaces in your VPC.  It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

Remediation Steps:

Perform following to create flow logs for VPC:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. In the navigation pane, choose Your VPCs, or choose Subnets.

4. Select your VPC or subnet, choose the Flow Logs tab, and then Create Flow Log.

5. In the dialog box, complete following information. When you are done, choose Create Flow Log:

   • Filter: Select whether the flow log should capture rejected traffic, accepted traffic, or all traffic. Setting the filter to "Reject" will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to "All" can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.

   • Role: Specify the name of an IAM role that has permission to publish logs to CloudWatch Logs.

   • Destination Log Group: Enter the name of a log group in CloudWatch Logs to which the flow logs will be published. You can use an existing log group, or you can enter a name for a new log group, which we'll create for you.

Important:

Reference:

• CIS reference: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #3.9

• https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#create-flow-log