VPC Flow Logs Disabled

• Query id: d2731f3d-a992-44ed-812e-f4f1c2747d71
• Query name: VPC Flow Logs Disabled
• Platform: Terraform
• Severity: Medium
• Category: Observability
• URL: Github

Description

Every VPC resource should have an associated Flow Log
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "alicloud_vpc" "main" {
  cidr_block = "192.168.0.0/24"
  name       = var.name
}

resource "alicloud_vpc_flow_log" "default" {
  depends_on     = ["alicloud_vpc.default"]
  resource_id    = alicloud_vpc.default.id
  resource_type  = "VPC"
  traffic_type   = "All"
  log_store_name = var.log_store_name
  project_name   = var.project_name
  flow_log_name  = var.name
  status         = "Active"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "alicloud_vpc" "main" {
  cidr_block = "192.168.0.0/24"
  name       = var.name
}

resource "alicloud_vpc_flow_log" "default" {
  depends_on     = ["alicloud_vpc.main"]
  resource_id    = alicloud_vpc.main.id
  resource_type  = "VPC"
  traffic_type   = "All"
  log_store_name = var.log_store_name
  project_name   = var.project_name
  flow_log_name  = var.name
  status         = "Active"
}