VPC Flow Logs Not Enabled

This plugin ensures VPC flow logs are enabled for traffic logging.

Risk Level: Medium

Description

This plugin ensures VPC flow logs are enabled for traffic logging. All the incoming and outgoing traffic of VPC are recorded and stored by VPC logs. It is recommended to enable these logs for auditing and review purposes in case of security breaches.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

In the absence of VPC flow logs, it will not be possible to track unusual activities inside VPC. As most critical services of cloud infrastructure run inside a VPC, it is recommended to enable flow logs to monitor unusual traffic into VPC.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Your VPCs in the Virtual Private Cloud section from the left navigation pane.
  4. A list of VPCs in the region will appear. Select the VPC you wish to examine by clicking on the checkbox next to it.
  5. Move to the Flow Logs tab.
  6. If No Flow Logs are found in the region, the vulnerability exists.
  7. Repeat steps for all the VPCs you want to investigate.

Steps for Remediation

Enable VPC flow logs for each VPC:

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Your VPCs in the Virtual Private Cloud section from the left navigation pane.
  4. A list of VPCs in the region will appear. Select the VPC you wish to examine by clicking on the checkbox next to it.
  5. Move to the Flow Logs tab.
  6. Click on Create Flow Log from the top-right corner.
  7. Fill in the details such as Name, IAM role, Log group to create the Flow Log. Click on Create Flow Log when done.
  8. Repeat steps for all the vulnerable VPC.