VPC Flow Logs enabled
Description
VPC Flow Logs enabled on all VPCs for network traffic visibility.
⚠️ Risk Impact
Without flow logs, you can't detect lateral movement, exfiltration, or unusual traffic patterns. Network visibility is foundational to cloud security.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type ALL --log-destination-type cloud-watch-logs.
💀 Real-World Attack Scenario
An attacker compromised an EC2 instance + began exfiltrating data to an external endpoint. Without VPC Flow Logs, the exfiltration was invisible. Detected 6 weeks later via AWS billing anomaly.
💰 Cost of Non-Compliance
Detection gap from missing flow logs: 4-6× longer dwell time (Mandiant).
📋 Audit Questions
- 1.VPC Flow Logs on all VPCs?
- 2.Capture-all traffic?
- 3.Destination + retention?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
resource "aws_flow_log" "main" {
iam_role_arn = aws_iam_role.flow_log.arn
log_destination = aws_cloudwatch_log_group.flow_log.arn
traffic_type = "ALL"
vpc_id = aws_vpc.main.id
}⚡ Common Pitfalls
- ⛔Flow logs enabled on production VPC but not dev/staging (attackers pivot through)
- ⛔Capture-only-rejected instead of all
- ⛔No retention policy
📈 Business Value
VPC Flow Logs are foundational to cloud network forensics.
⏱️ Effort Estimate
30 minutes per VPC
EchelonGraph audits VPC Flow Log coverage
🔗 Cross-Framework References
Automate CIS AWS 4.4 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →