Once enabled, the Flow Logs feature will start collecting network traffic data to and from your Virtual Private Cloud (VPC), data that can be useful to detect and troubleshoot security issues and make sure that the network access rules are not overly permissive.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Enabling VPC Flow Logs will help you detect security and access issues like overly permissive security groups and network ACLs and alert abnormal activities triggered within your Virtual Private Cloud network such as rejected connection requests or unusual levels of data transfer.
Notes: Availability: this feature is not available yet in the following AWS regions: Asia Pacific (Seoul) and South America (Sao Paulo).
Pricing: since the Flow Log records are made available through AWS CloudWatch, the standard CloudWatch Logs pricing is applied ($0.50 per GB ingested and $0.03 per GB archived / month).
To determine if your VPC network has Flow Logs enabled, perform the following:
To enable Flow Logs for your VPC, you need to create first an IAM role that will grant permissions to publish flow log streams to the specified log group in CloudWatch Logs
Step 1: create the IAM role.
Step 2: enable VPC Flow Logs