Browse the Repo

file-type-icon.circleci
file-type-iconexamples
file-type-iconmodules
file-type-icon_docs
file-type-iconnetwork-acl-inbound
file-type-iconnetwork-acl-outbound
file-type-iconvpc-app-network-acls
file-type-iconvpc-app
file-type-iconvpc-dns-forwarder-rules
file-type-iconvpc-dns-forwarder
file-type-iconvpc-flow-logs
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
file-type-iconvpc-interface-endpoint
file-type-iconvpc-mgmt-network-acls
file-type-iconvpc-mgmt
file-type-iconvpc-peering-cross-accounts-accepter
file-type-iconvpc-peering-cross-accounts-requester
file-type-iconvpc-peering-external
file-type-iconvpc-peering
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.md
file-type-iconterraform-cloud-enterprise-private-module-...

Browse the Repo

file-type-icon.circleci
file-type-iconexamples
file-type-iconmodules
file-type-icon_docs
file-type-iconnetwork-acl-inbound
file-type-iconnetwork-acl-outbound
file-type-iconvpc-app-network-acls
file-type-iconvpc-app
file-type-iconvpc-dns-forwarder-rules
file-type-iconvpc-dns-forwarder
file-type-iconvpc-flow-logs
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
file-type-iconvpc-interface-endpoint
file-type-iconvpc-mgmt-network-acls
file-type-iconvpc-mgmt
file-type-iconvpc-peering-cross-accounts-accepter
file-type-iconvpc-peering-cross-accounts-requester
file-type-iconvpc-peering-external
file-type-iconvpc-peering
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.md
file-type-iconterraform-cloud-enterprise-private-module-...
Virtual Private Cloud (VPC)

Virtual Private Cloud (VPC)

Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.

Code Preview

Preview the Code

mobile file icon

README.md

down

VPC Flow Logs Terraform Module

This Terraform Module creates a VPC flow log. The flow log will capture IP traffic information for a given VPC, subnet, or Elastic Network Interface (ENI). Flow logs can be configured to capture all traffic, only traffic that is accepted, or only traffic that is rejected. The logs can be published to Amazon CloudWatch Logs or an S3 bucket.

How do you use this module?

Check out the vpc-flow-logs examples.

See variables.tf for all the available configuration options.

What are VPC Flow Logs?

VPC Flow Logs are a feature to help you understand, debug, and evaluate the network traffic in your VPCs. Flow logs will capture information such as the client IP address and port, the protocol, whether traffic was accepted or rejected (e.g. due to a security group rule forbidding such traffic), and other metadata about the request and response.

For example, consider the following flow log record:

2 318677964956 eni-0a4c0daa903d85a52 209.17.96.58 10.0.3.254 55428 139 6 1 44 1565031303 1565031350 REJECT OK

This shows a single rejected packet of 44 bytes from 209.17.96.58 port 55428 to 10.0.3.254 (an internal VPC address) port 139 (Windows SMB protocol) on interface eni-0a4c0daa903d85a52. The packet was sent between Monday, August 5, 2019 6:55:03 PM and Monday, August 5, 2019 6:55:50 PM. For a complete description of the fields, refer to the Flow Log Records documentation.

This particular flow log record was recorded from a newly created EC2 instance running Linux, and yet the packet is destined for port 139 using the Server Message Block (SMB) protocol, an antiquated file sharing protocol for Windows. Why would this occur? Because publicly routable IP addresses are continuously barraged by probes from malicious hosts seeking vulnerable systems to compromise. This is one reason why it is crucial to have a battle-tested, production-grade network architecture that limits attack surface and enforces segmentation.

VPC Flow Logs do not capture packet payloads. You can use VPC Traffic Mirroring if you wish to capture payloads. Furthermore, flow logs do not capture all IP traffic. For a list of flow log limitations, consult the AWS documentation.

How are VPC Flow Logs useful?

Flow Logs can help to define least privilege permissions for security group rules. They can also help to identify malicious network activity to prevent or respond to an attack. Flow logs are required by some information security standards, such as the CIS AWS Foundations Benchmark.

Resources Created

How do I view Flow Logs?

The easiest way to use Flow Logs is to configure the CloudWatch Logs destination and use the web console. The available fields in a flow log record tell you information about IP traffic such as source and destination address and port, protocol, bytes and packets sent, whether the traffic was accepted or rejected, and more.

If you use an S3 destination, flow log files are delivered in to the s3 bucket 5 minute intervals.

Flow log records are overwhelming for humans to review. You can use Amazon Athena to query VPC flow logs using SQL syntax. You can also use Amazon GuardDuty to automatically evaluate flow logs.

What is the difference between using Flow Logs with VPC, subnets, and ENIs?

The difference has to do with how many resources are sending flow logs.

  • If you create a flow log with eni_id, it will include the data for a single elastic network interface only
  • If you create a flow log with subnet_id, it will include the data for any network interface created within the given subnet
  • If you create a flow log with vpc_id, it will include the data for any network interface created within the given VPC

Using KMS keys to encrypt flow logs

Flow logs can be encrypted using the AWS Key Management Service (KMS). You can provide the ARN of an KMS key, or the module will create one if an ARN is not provided. If you choose to supply an existing key, you must ensure that the appropriate key policy is configured. Refer to the documentation for flow logs published to CloudWatch Logs and to S3 respectively as they differ slightly. See also the comments in the kms_key_policy resource.

Module limitations

TODO: Publish flow logs to an S3 bucket or CloudWatch Logs group in another account

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?