Other Articles
- IAM - Enable User MFA
- IAM - Enforce Key Rotation
- IAM - Enforce Active Key Limit
- IAM - Disable Unused User Credentials
- IAM - Enforce Group Permission
- IAM - Enforce Password Length
- IAM - Prohibit Password Reuse
- IAM - Check Root Access Keys Existence
- IAM - Enable Root MFA
- IAM - Establish Support Role
- IAM - Enable Key Rotation
- Purge Expired Certificates
- EC2 Volume – Enable EBS Volume Backup
- EC2 Volume – Enable EBS Encryption
- EFS – Enable EFS Storage Backup
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- S3 Bucket – Block S3 Bucket Public Access
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- RDS DB Instance – Enable Auto Minor Version Upgrade
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable CloudTrail
- Encrypt CloudTrail Logs
- RDS DB Instance – Block Public Access
- EC2 Instance – Enable Deletion Protection
- ECS Service – Enable Auto Scaling
- Enable AWS Security Hub
- Enable GuardDuty
EC2 VPC – Ensure Flow Logs are Enabled
Secure Configuration Checks > AWS
This check ensures that VPC flow logs are enabled to monitor traffic and support security analysis.
Check Details
- Resource: VPC
- Check: Ensure VPC flow logs are enabled
- Risk: Lack of flow logs can obscure network issues and security events
Remediation via AWS Console
-
Sign into the AWS Management Console and open VPC.
-
In the left navigation panel, select Your VPCs and choose a VPC.
-
In the right panel, go to the Flow Logs tab. If no flow log exists, click Create Flow Log.
-
For Filter, select Reject.
-
Enter an IAM Role and Destination Log Group, then click Create Flow Log.
-
Verify logs in CloudWatch: CloudWatch → Logs → Log groups.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the CloudShell icon (
>_) in the top-right corner.
-
Create a file role_policy_document.json with the following content:
nano role_policy_document.json
Paste the following content. ctrl+O -> save and ctrl+X -> exit.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowVPCFlowLogsAssumeRole", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Create a file iam_policy.json with the following content:
nano iam_policy.json
Paste the following content. ctrl+O -> save and ctrl+X -> exit.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "\*" } ] } -
Create the IAM Role:
aws iam create-role --role-name vpc-flow-logs-role --assume-role-policy-document file://role_policy_document.json
-
Create the IAM Policy:
aws iam create-policy --policy-name vpc-flow-logs-policy --policy-document file://iam_policy.json
-
Attach the policy to the IAM role:
aws iam attach-role-policy --role-name vpc-flow-logs-role --policy-arn arn:aws:iam::<aws-account-id>:policy/vpc-flow-logs-policy
-
Identify VPCs in the region:
aws ec2 describe-vpcs --region <region>
-
Create Flow Logs for each VPC:
aws ec2 create-flow-logs \ --resource-type VPC \ --resource-ids <vpc-id> \ --traffic-type ALL \ --log-group-name <log-group-name> \ --deliver-logs-permission-arn arn:aws:iam::<aws-account-id>:role/vpc-flow-logs-role
-
Repeat for all remaining VPCs in the region. Update
--regionaccordingly for other regions.
Updated on 06 March, 2026