Skip to content

Commit

Permalink
aws vpc and vpc flow logs learnings
Browse files Browse the repository at this point in the history
  • Loading branch information
@moveecar
moveecar committed Aug 24, 2024
1 parent 11df36f commit 1d5042b
Showing 1 changed file with 49 additions and 2 deletions.
51 changes: 49 additions & 2 deletions _posts/2024-03-17-aws-vpc.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
layout: post
title: "AWS VPC"
date: 2024-03-17 06:51:00 -0400
modified_date: 2024-03-17 06:51:00 -0400
modified_date: 2024-08-24 06:51:00 -0400
categories: aws vpc
---

Expand Down Expand Up @@ -76,6 +76,52 @@ aws ec2 describe-subnets

Aleternatively, use ELB with with public NAT gateway.

## Monitoring

- VPC flow logs helps to monitor, debug
- VPC flow log can be stored/published into CloudWatch, S3 and Firehouse.
- The cost depends on where it is published and how long we keep the log.

### Why and Who

Because enabling VPC logs will incur cost, it is recommended to identify the need and proper process in place to ensure the logs are monitored or audited.
It is important to let the stakeholders involved. Depends on the stakeholder commitment we should enable right level of logging.

#### Cyber Security - SOC - Security Operation Center needs

- Security team often needs network logs to analyze the trafic, identify unusual activity, protect the infrastructure.
- Many SIEM tools available that are designed to work with VPC flow logs.
- Cyber Security team should request to enable the log based on the level of security needs.
- May ask to keep the logs for long time - prefer cold storage after live analysis.

#### Network Engineer

- Diagnose performance or network issues.
- May ask on the need basis.
- May not required to keep the log for long time.
- Limit the log collection to specific service / subnet to make the work productive, cost effective.

#### Complaince and Certification

- If your organization has compliance team, they may ask for recording the VPC logs based on the level.
- If your organization seeking for any certification to meet customer demands, it may need VPC flow logs monitored.
- Example: Payment Card Industry (PCI) Compliance woud require VPC flow logs to be enabled.

#### Auditor

- It is good to start with auditor to engage commitment to audit the logs.
- Both cyber and complaince team should have regular auditing process.

### Common Understanding and Excuses for not enabling VPC flow logs

- We use GuardDuty.
- We use CloudTrail
- We use WAF, Load Balancer and application log.
- Log collections expensive.
- We dont have people and tools to consume the logs to get value.
- No auditors asked for details which is only found in VPC flow logs.
- No business decision taken by understanding the value or risk.

## Questions

- How do we plan IP addressing when HA is a major concern?
Expand All @@ -92,4 +138,5 @@ Aleternatively, use ELB with with public NAT gateway.
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html
- https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html
- https://docs.aws.amazon.com/vpc/latest/ipam/
- Amazon EC2 User Guide for Linux Instances.
- https://www.netskope.com/blog/a-real-world-look-at-aws-best-practices-logging
- https://www.devopsschool.com/blog/what-is-cloudtrail-and-use-cases-of-cloudtrail/

0 comments on commit 1d5042b

Please sign in to comment.