Ensure VPC flow logging is enabled in all VPCs

2.9 Logging (AWS CIS Benchmark).


VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

Determine if the VPC Flow logs feature is enabled via the AWS Management Console

Step 1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

Step 2. Click on Services and then click on VPC.

Step 3. In the left navigation pane, click on Your VPCs.

Step 4. Select a VPC.

Step 5. In the right pane, click on the "Flow Logs" tab.

Step 6. If no Flow Log exists, click on Create Flow Log.

Step 7. For "Filter,"" select Reject.

Step 8. Enter in a "Role" and "Destination Log Group.""

Step 9. Click on Create Log Flow.

Step 10. Click on CloudWatch Logs Group

Note: Setting the filter to "Reject" will dramatically reduce the accumulation of logging data while providing sufficient information for the purposes of breach detection, research, and remediation.

However, during periods of least privilege security group engineering, setting this filter to "All" can be very helpful in discovering the existing traffic flows required for the proper operation of an already running environment.

By default, CloudWatch Logs will store logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain logs, keep in mind that, on average, it takes a typical organization 210 days (at the time of this writing) to realize they have been breached. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research.

You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html