Open menu
-->

Enable AWS VPC Flow Logs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: Medium (generally tolerable level of risk)

Once enabled, the Flow Logs feature will start collecting network traffic data to and from your Virtual Private Cloud (VPC), data that can be useful to detect and troubleshoot security issues and make sure that the network access rules are not overly permissive.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Enabling VPC Flow Logs will help you detect security and access issues like overly permissive security groups and network ACLs and alert abnormal activities triggered within your Virtual Private Cloud network such as rejected connection requests or unusual levels of data transfer. Notes: Availability: this feature is not available yet in the following AWS regions: Asia Pacific (Seoul) and South America (Sao Paulo).
Pricing: since the Flow Log records are made available through AWS CloudWatch, the standard CloudWatch Logs pricing is applied ($0.50 per GB ingested and $0.03 per GB archived / month).

Audit

To determine if your VPC network has Flow Logs enabled, perform the following:

Using AWS Console

01Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, select Your VPCs.

04 Select the VPC that you need to check.

05 Select the Flow Logs tab from the bottom panel.

06 And search for any Flow Logs entries available for the selected VPC.

07 If there are no Flow Logs created, the status should be “No Flow Logs found”:

No Flow Logs found

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) to list the VPC networks available in the current AWS region:

aws ec2 describe-vpcs

02 The command output should expose each VPC ID and its metadata:

{
    "Vpcs": [
        {
            "VpcId": "vpc-f7ac5792",
            "InstanceTenancy": "default",
            "Tags": [
                {
                    "Value": "MyWebVPC",
                    "Key": "Name"
                }
            ],
            "State": "available",
            "DhcpOptionsId": "dopt-80e3f7e2",
            "CidrBlock": "172.31.0.0/16",
            "IsDefault": true
        }
    ]
}

03 Run describe-flow-logs command (OSX/Linux/UNIX) using the VPC ID to determine if the selected virtual network has the Flow Logs feature enabled:

aws ec2 describe-flow-logs
	--filter "Name=resource-id,Values=vpc-f7ac5792"

04 If there are no Flow Logs created for the selected VPC, the command output will return an empty list []:

{
    "FlowLogs": []
}

Remediation / Resolution

To enable Flow Logs for your VPC, you need to create first an IAM role that will grant permissions to publish flow log streams to the specified log group in CloudWatch Logs

Step 1: create the IAM role.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Policies.

04 Click Create Policy button from the IAM dashboard top menu.

05 Select Create Your Own Policy and type a name and a description (optional) for the policy.

06 In the Policy Document field, paste the following custom IAM policy:

{
  "Version": "2012-10-17",
	  "Statement": [
		    {
		      "Effect": "Allow",
		      "Action": [
		        "logs:CreateLogGroup",
		        "logs:CreateLogStream",
		        "logs:PutLogEvents",
		        "logs:DescribeLogStreams"
		    ],


		      "Resource": [
		        "arn:aws:logs:*:*:*"
		    ]
	       }
	   ]
}




			

07 Click Create Policy.

08 In the left navigation panel, click Roles.

09 Click the Create New Role button from the IAM dashboard top menu and follow the wizard:

  1. Enter a name for the IAM role.
  2. Under AWS Service Roles select Amazon EC2.
  3. Search for the policy name created earlier and select it: Search for the policy name created earlier and select it
  4. Click Next Step.
  5. Review the IAM role information and click Create Role.

10 In the left navigation panel, click Roles.

11 Select the newly created IAM role.

12 Select Trust Relationships tab from the bottom panel and click Edit Trust Relationship.

13 Paste the following access control policy document and click Update Trust Policy:

{
  "Version": "2012-10-17",
  "Statement": [
	 {
  	"Effect": "Allow",
  	"Principal": {
    	"Service": "vpc-flow-logs.amazonaws.com"
  	},
  	"Action": "sts:AssumeRole"
	    }
   ]
}

Using AWS CLI

01 Run create-role command (OSX/Linux/UNIX) to create the IAM role required for publishing the flow logs:

aws iam create-role
	--role-name VPC-Flow-Logs-Role
	--assume-role-policy-document file://Flow-Logs-Policy.json

02 Run get-role command (OSX/Linux/UNIX) using the role name to make sure the IAM role has been successfully created:

aws iam get-role
	--role-name VPC-Flow-Logs-Role

03 The command output should return a JSON object ( https://en.wikipedia.org/wiki/JSON ) containing the IAM role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROAJERJ6MIBG4CBDJAUE",
        "CreateDate": "2016-04-07T15:19:15Z",
        "RoleName": "VPC-Flow-Logs-Role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/VPC-Flow-Logs-Role"
    }
}

Step 2: enable VPC Flow Logs

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, select Your VPCs.

04 Select the VPC that you need to check.

05 Select the Flow Logs tab from the bottom panel and click Create Flow Log:

Select the Flow Logs tab from the bottom panel and click Create Flow Log

06 In the Create Flow Log dialog box, enter the following details:

  1. Filter: select the filter that describes the type of traffic to be logged – accepted, rejected, or all.
  2. Role: enter the name of the IAM role that will allow permissions to publish to the CloudWatch Logs log group.
  3. Destination Log Group: enter a name for the new CloudWatch Logs log group, where the flow logs will be published.

07 Review the flow log configuration and click Create Flow Log:

Review the flow log configuration and click Create Flow Log

The log group will be available in approximately 10 minutes after you create the flow log. To access it, just click on the log group name listed under the CloudWatch Logs Group column:

click on the log group name listed under the CloudWatch Logs Group column

or open the CloudWatch Logs dashboard at https://console.aws.amazon.com/cloudwatch/home#logs:

Using AWS CLI

01 Run create-flow-logs command (OSX/Linux/UNIX) to create a flow log for the selected VPC, in the current AWS region. The following example creates a flow log that captures all traffic for the VPC network with the ID vpc-f7ac5792. The flow logs are delivered to a log group called MyFlowLogs, using an IAM role named VPC-Flow-Logs-Role:

aws ec2 create-flow-logs
	--resource-type VPC
	--resource-ids vpc-f7ac5792
	--traffic-type ALL
	--log-group-name MyFlowLogs
	--deliver-logs-permission-arn arn:aws:iam::123456789012:role/VPC-Flow-Logs-Role

02 The command output should return the new flow log ID:

{
    "Unsuccessful": [],
    "FlowLogIds": [
        "fl-272ec84e"
    ],
    "ClientToken": "fXBO2YJj/485asmdXnhIw1ycw6ZpTlRxJkhQMyFKygY="
}

References

Publication date Apr 8, 2016