VPC - Flow Log Configuration Check¶
The following example policy will find any VPC Flow Log in your region that is not properly configured and notify a group via email. Ensuring VPC Flow Logs are enabled and setup properly is very important for compliance and security. Flow Logs themselves capture IP traffic information to and from network interfaces and can be used for troubleshooting traffic issues and monitoring network traffic as a security tool. See more info on example dashboarding of VPC Flow Logs using Elasticsearch and Kibana https://aws.amazon.com/blogs/aws/cloudwatch-logs-subscription-consumer-elasticsearch-kibana-dashboards/
policies: - name: vpc-flow-log-check resource: vpc filters: - not: - type: flow-logs enabled: true set-op: or op: equal traffic-type: all log-group: myVPCFlowLogs status: active actions: - type: notify template: default.html priority_header: 1 subject: "Cloud Custodian - VPC Flow Log(s) Not Setup Properly" violation_desc: "The Following Flow Logs Are Invalid:" action_desc: "Actions Taken: Notification Only" to: - CloudCustodian@Company.com transport: type: sqs queue: https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailer region: us-east-1
Note that the
notify action requires the cloud custodian mailer tool to be installed.