Free Assessment

Amazon_CloudWatch_15

Ensure that a log metric filter and alarm exist for the Cloudwatch group assigned to the VPC Flow Logs is configured

Description

This recommendation builds upon the Foundation benchmark recommendation: “EnsureVPC Flow Logging is Enabled in all Applicable Regions”

VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. VPC flow logs can capture accepted traffic, rejected traffic, or all traffic.

Metric filters can be used to express how the service would extract metric observations from ingested events and transform them to data points in a CloudWatch metric. Metric filters are assigned to log groups, and all of the filters assigned to a log group are applied to their log streams.

A metric filter should be created for counting how many IP packets are rejected in the VPC flow logs.

Remediation

Using the Amazon unified command line interface:

  • Create a metric filter for the Cloudwatch Log group assigned to the “VPC Flow Logs”:
    aws logs put-metric-filter –log-group-name <vpc_flow_log_group_name> –filter-name <vpc_flow_log_filter_name> –filter-pattern “{ $.errorCode = “AccessDenied” }” –metric-transformations metricName=<vpc_flow_log_metric_name>,metricNamespace=LogMetrics,metricValue=1

References:

  1. http://docs.aws.amazon.com/cli/latest/reference/logs/filter-log-events.html
  2. http://docs.aws.amazon.com/cli/latest/reference/logs/put-metric-filter.html
  3. http://docs.aws.amazon.com/cli/latest/reference/logs/describe-metric-filters.html

Service

CloudWatch

Severity

Medium

Compliance

Mapping

Want to Know More?

Learn how our partners are managing their cloud security and compliance with Cloudlytics.

I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.

Cloudlytics

Solutions

Resources

Company

Legal

Facebook Twitter Linkedin Youtube
Start Free Trial
Login

CLOSE

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!

Learn More