VPC flow logging should be enabled in all VPCs

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet Rejects for VPCs.

Rationale

VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.

Impact

By default, CloudWatch Logs will store logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs in a cheaper storage service rather than simply deleting them.

Remediation

Perform the following steps to determine if VPC Flow logs is enabled:

From the console

  1. Sign into the management console.
  2. Select Services > VPC.
  3. In the left navigation pane, select Your VPCs.
  4. Select a VPC.
  5. In the right pane, select the Flow Logs tab.
  6. If no Flow Log exists, click Create Flow Log.
  7. For Filter, select Reject.
  8. Enter a Role and Destination Log Group.
  9. Click Create Log Flow.
  10. Click CloudWatch Logs Group.

From the command line

  1. Create a policy document, name it role_policy_document.json, and paste the following content:

    {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "test",
                 "Effect": "Allow",
                 "Principal": {
                     "Service": "ec2.amazonaws.com"
                 },
                 "Action": "sts:AssumeRole"
             }
         ]
     }
    
  2. Create another policy document, name it iam_policy.json, and paste the following content:

    {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Action":[
                     "logs:CreateLogGroup",
                     "logs:CreateLogStream",
                     "logs:DescribeLogGroups",
                     "logs:DescribeLogStreams",
                     "logs:PutLogEvents",
                     "logs:GetLogEvents",
                     "logs:FilterLogEvents"
                 ],
                 "Resource": "*"
             }
         ]
     }
    
  3. Run create-role to create an IAM role:

    aws iam create-role --role-name <aws_support_iam_role> \
    --assume-role-policy-document file://<file-path>role_policy_document.json
    
  4. Run create-policy to create an IAM policy:

    aws iam create-policy --policy-name <ami-policy-name> \
    --policy-document file://<file-path>iam-policy.json
    
  5. Run attach-group-policy using the IAM policy ARN returned in step 4 to attach the policy to the IAM role. If the command succeeds, no output is returned.

    aws iam attach-group-policy --policy-arn arn:aws:iam::<aws-account-id>:policy/<iam-policy-name> \
    --group-name <group-name>
    
  6. Run describe-vpcs to get the VpcId available in the selected region:

    aws ec2 describe-vpcs --region <region>
    
  7. Run create-flow-logs to create a flow log for the vpc:

    aws ec2 create-flow-logs --resource-type VPC \
    --resource-ids <vpc-id> \
    --traffic-type REJECT \
    --log-group-name <log-group-name> \
    --deliver-logs-permission-arn <iam-role-arn>
    
  8. Repeat step 7 for other vpcs available in the selected region.

  9. Change the region by updating --region and repeat the remediation procedure for other vpcs.

References

  1. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
PREVIEWING: brett0000FF/node-compatibility