Skip to main content
All CollectionsMonitoringTests
Test 224: AWS VPC Flow Logging
Test 224: AWS VPC Flow Logging

Drata validates that VPC flow logging is enabled in all AWS VPCs.

Updated over a month ago

Drata validates that VPC flow logging is enabled in all AWS VPCs. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

​VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.

ASSOCIATED DRATA CONTROL

This test is part of the Audit Logging control (DCF-406) that ensures audit logs are enabled and active for all system components and sensitive data in accordance with company policies.

WHAT TO DO IF A TEST FAILS

If Drata finds that there is one or more VPCs with flow logging disabled, the test will fail. VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs.

STEPS TO REMEDIATE

From the management console, select 'Services' and then 'VPC'. Select a VPC and click on 'create Flow Log'. For filter, select 'Reject' and enter in a 'Role' and 'Destination Log Group'.

Note: Setting the filter to 'Reject' will dramatically reduce the logging data accumulation for this recommendation and provide sufficient information for the purposes of breach detection, research and remediation. However, during periods of least privilege security group engineering, setting this the filter to 'All' can be very helpful in discovering existing traffic flows required for proper operation of an already running environment.

Center for Internet Security (CIS)

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.

Did this answer your question?