VPC FlowLogs Disabled
- Query id: f83121ea-03da-434f-9277-9cd247ab3047
- Query name: VPC FlowLogs Disabled
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
Every VPC resource should have an associated Flow Log
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_flow_log" "example" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.example.arn
traffic_type = "ALL"
}
resource "aws_flow_log" "example1" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.main.arn
traffic_type = "ALL"
vpc_id = aws_vpc.main.id
}
Positive test num. 2 - tf file
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_flow_log" "example" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.example.arn
traffic_type = "ALL"
vpc_id = aws_vpc.example.id
}
resource "aws_flow_log" "example2" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.example.arn
traffic_type = "ALL"
vpc_id = aws_vpc.example2.id
}
Positive test num. 3 - tf file
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "3.7.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
enable_flow_log = false
tags = {
Terraform = "true"
Environment = "dev"
}
}
Positive test num. 4 - tf file
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "3.7.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_flow_log" "example" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.example.arn
traffic_type = "ALL"
vpc_id = aws_vpc.example.id
}
resource "aws_flow_log" "example2" {
iam_role_arn = aws_iam_role.example.arn
log_destination = aws_cloudwatch_log_group.example.arn
traffic_type = "ALL"
vpc_id = aws_vpc.main.id
}
Negative test num. 2 - tf file
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "3.7.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
enable_flow_log = true
tags = {
Terraform = "true"
Environment = "dev"
}
}