Ensure that flow logs are enabled for your AWS VPC subnets. Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces associated with your subnets. Once you create a flow log for a VPC subnet, each network interface within the subnet is monitored and the flow logs data is stored using Amazon CloudWatch Logs. This conformity rule demonstrates how to enable the Flow Logs feature for individual or multiple subnets. To enable flow logs at the VPC level, where all the VPCs subnets and ENIs inherit the feature configuration, see this rule.
Flow Logs feature can be used as a security tool to monitor the traffic that is reaching your EC2 instances. Once enabled, the feature will start collecting IP traffic data to and from your VPC subnets, data that can be useful to detect and troubleshoot security issues such as overly restrictive security group rules (when specific traffic is not reaching an EC2 instance) or overly permissive rules (when an instance is publicly accessible through a specific port).
To determine if your VPC subnets have Flow Logs feature enabled, perform the following actions:
To enable flow logs for your Amazon VPC subnets, perform the following actions: