VPC FlowLogs Disabled
- Query id: f6d299d2-21eb-41cc-b1e1-fe12d857500b
- Query name: VPC FlowLogs Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
Every VPC resource should have an associated Flow Log
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: 'VPC: public and private subnets in two availability zones, a cloudonaut.io template'
Parameters:
ClassB:
Description: 'Class B of VPC (10.XXX.0.0/16)'
Type: Number
Default: 0
ConstraintDescription: 'Must be in the range [0-255]'
MinValue: 0
MaxValue: 255
Resources:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'vpc-flow-logs.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 'flowlogs-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
Resource: !GetAtt 'LogGroup.Arn'
MyVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Sub '10.${ClassB}.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: !Sub '10.${ClassB}.0.0/16'
LogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: 14
FlowLog:
Type: 'AWS::EC2::FlowLog'
Properties:
DeliverLogsPermissionArn: !GetAtt 'Role.Arn'
LogGroupName: !Ref LogGroup
ResourceId: !Ref MyVPC1
ResourceType: 'VPC'
TrafficType: ACCEPT
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "VPC: public and private subnets in two availability zones, a cloudonaut.io template",
"Parameters": {
"ClassB": {
"MaxValue": 255,
"Description": "Class B of VPC (10.XXX.0.0/16)",
"Type": "Number",
"Default": 0,
"ConstraintDescription": "Must be in the range [0-255]",
"MinValue": 0
}
},
"Resources": {
"Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "flowlogs-policy",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "LogGroup.Arn"
}
],
"Version": "2012-10-17"
}
}
]
}
},
"MyVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
"InstanceTenancy": "default",
"Tags": [
{
"Key": "Name",
"Value": "10.${ClassB}.0.0/16"
}
],
"CidrBlock": "10.${ClassB}.0.0/16"
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 14
}
},
"FlowLog": {
"Type": "AWS::EC2::FlowLog",
"Properties": {
"DeliverLogsPermissionArn": "Role.Arn",
"LogGroupName": "LogGroup",
"ResourceId": "MyVPC1",
"ResourceType": "VPC",
"TrafficType": "ACCEPT"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: 'VPC: public and private subnets in two availability zones, a cloudonaut.io template'
Parameters:
ClassB:
Description: 'Class B of VPC (10.XXX.0.0/16)'
Type: Number
Default: 0
ConstraintDescription: 'Must be in the range [0-255]'
MinValue: 0
MaxValue: 255
Resources:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'vpc-flow-logs.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 'flowlogs-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
Resource: !GetAtt 'LogGroup.Arn'
MyVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Sub '10.${ClassB}.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: !Sub '10.${ClassB}.0.0/16'
LogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: 14
FlowLog:
Type: 'AWS::EC2::FlowLog'
Properties:
DeliverLogsPermissionArn: !GetAtt 'Role.Arn'
LogGroupName: !Ref LogGroup
ResourceId: !Ref MyVPC
ResourceType: 'VPC'
TrafficType: ACCEPT
Negative test num. 2 - json file
{
"Description": "VPC: public and private subnets in two availability zones, a cloudonaut.io template",
"Parameters": {
"ClassB": {
"Description": "Class B of VPC (10.XXX.0.0/16)",
"Type": "Number",
"Default": 0,
"ConstraintDescription": "Must be in the range [0-255]",
"MinValue": 0,
"MaxValue": 255
}
},
"Resources": {
"Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
}
}
]
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "LogGroup.Arn"
}
],
"Version": "2012-10-17"
},
"PolicyName": "flowlogs-policy"
}
]
}
},
"MyVPC": {
"Properties": {
"InstanceTenancy": "default",
"Tags": [
{
"Key": "Name",
"Value": "10.${ClassB}.0.0/16"
}
],
"CidrBlock": "10.${ClassB}.0.0/16",
"EnableDnsSupport": true,
"EnableDnsHostnames": true
},
"Type": "AWS::EC2::VPC"
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 14
}
},
"FlowLog": {
"Type": "AWS::EC2::FlowLog",
"Properties": {
"DeliverLogsPermissionArn": "Role.Arn",
"LogGroupName": "LogGroup",
"ResourceId": "MyVPC",
"ResourceType": "VPC",
"TrafficType": "ACCEPT"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}