Control: AWS > PCI v3.2.1 > EC2 > 6 VPC flow logging should be enabled in all VPCs
This control checks whether VPC flow logs are found and enabled for VPCs. The traffic type is set to REJECT.
With VPC Flow Logs, you can capture information about the IP address traffic to and from network interfaces in your VPC. After you create a flow log, you can use CloudWatch Logs to view and retrieve the log data.
Security Hub recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC. They can detect anomalous traffic and provide insight into security workflows.
By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol. For more information and descriptions of the log fields, see VPC Flow Logs in the Amazon VPC User Guide.
Remediation
To enable VPC flow logging
- Open the Amazon VPC console.
- In the navigation pane, under Virtual Private Cloud, choose Your VPCs.
- Select a
VPC
to update. - At the bottom of the page, choose Flow Logs.
- Choose Create flow log.
- For Filter, choose Reject.
- For Destination log group, choose the
log group
to use. - If you chose
CloudWatch Logs
for your destination log group, for IAM role, choose the IAM role to use. - Choose Create.
PCI requirement(s): 10.3.3, 10.3.4, 10.3.5, 10.3.6
Resource Types
This control targets the following resource types:
Category
In Your Workspace
Developers
- tmod:@turbot/aws-pciv3-2-1#/control/types/vpcFlowLogsEnabled
- tmod:@turbot/turbot#/control/categories/compliancePci
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/vpcFlowLogsEnabled"
Get Controls