Ensure that flow logs are enabled for your AWS VPC subnets. Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces associated with your subnets. Once you create a flow log for a VPC subnet, each network interface within the subnet is monitored and the flow logs data is stored using Amazon CloudWatch Logs. This conformity rule demonstrates how to enable the Flow Logs feature for individual or multiple subnets. To enable flow logs at the VPC level, where all the VPCs subnets and ENIs inherit the feature configuration, see this rule.
Flow Logs feature can be used as a security tool to monitor the traffic that is reaching your EC2 instances. Once enabled, the feature will start collecting IP traffic data to and from your VPC subnets, data that can be useful to detect and troubleshoot security issues such as overly restrictive security group rules (when specific traffic is not reaching an EC2 instance) or overly permissive rules (when an instance is publicly accessible through a specific port).
Audit
To determine if your VPC subnets have Flow Logs feature enabled, perform the following actions:
Remediation / Resolution
To enable flow logs for your Amazon VPC subnets, perform the following actions:
References
- AWS Documentation
- Amazon VPC FAQs
- VPC Flow Logs
- Creating IAM Roles
- Creating a Role to Delegate Permissions to an AWS Service
- IAM Policies
- What is Amazon CloudWatch Logs?
- Working with Log Groups and Log Streams
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-subnets
- describe-flow-logs
- create-flow-logs
- iam
- create-role
- put-role-policy
- logs
- create-log-group
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable Flow Logs for VPC Subnets
Risk level: Low