MEDIUM VPC · CIS 3.7

VPC flow logs

Check ID: aws-vpc-003

AWS-VPC-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if non-default VPCs have flow logs enabled. Skips default VPCs as they are AWS defaults.

Why it matters

VPC Flow Logs record metadata about every network connection in your VPC - source/destination IPs, ports, protocols, and whether traffic was accepted or rejected. Without them, you cannot detect port scanning, data exfiltration to suspicious IPs, or lateral movement between instances. CIS AWS Benchmark 3.7 requires flow logs on all VPCs. During the 2023 SolarWinds follow-up investigations, organizations with flow logs could trace the exact lateral movement path of the attacker, while those without had critical visibility gaps. Flow logs can be sent to CloudWatch Logs for real-time alerting or to S3 for cost-effective long-term storage and analysis with Athena.

Common causes

Flow logs are skipped because teams are not aware of them during initial VPC creation, and the VPC resource in Terraform does not include flow logs by default. Cost concerns lead some teams to disable flow logs, especially in development environments where they assume monitoring is unnecessary. Organizations that adopted AWS before flow logs were introduced in 2015 may have legacy VPCs that were never retrofitted with logging.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 create-flow-logs --resource-type VPC --resource-ids VPC_ID --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name /aws/vpc/flow-logs/VPC_ID --deliver-logs-permission-arn arn:aws:iam::ACCOUNT_ID:role/vpc-flow-log-role --region REGION

Remediation: Terraform

resource "aws_flow_log" "this" {
  vpc_id          = "vpc-xxx"
  traffic_type    = "ALL"
  log_destination = aws_cloudwatch_log_group.flow_log.arn
  iam_role_arn    = aws_iam_role.flow_log.arn
}

Compliance mapping

This check maps to CIS 3.7 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related VPC checks

MEDIUM aws-vpc-001

Default VPC usage

CRITICAL aws-vpc-002

Open security groups

MEDIUM aws-vpc-004

Unrestricted NACL

← All checks