Understanding AWS VPC Flow Logs

VPC Flow Logs are a useful tool for monitoring the security of your AWS Virtual Private Cloud. But understanding and getting the most from these logs can be a bit tricky.

Why Use VPC Flow Logs?

VPC Flow Logs track all inbound and outbound traffic to and from instances in your Amazon Web Services Virtual Private Cloud.  They track both traffic that is accepted by Security Groups and Network Access Control Lists, and also traffic that is rejected.

They are critical for investigating a security incident after the fact, but can also be used to trigger an alert of suspicious activity as it happens.

In this article, we will show you how to set up VPC Flow logs and then leverage them to enhance your network monitoring and security.

How to Enable VPC Flow Logs

First, go the VPC section of the AWS Console.  Select your VPC, click the Flow Logs tab, and then click Create Flow Log.

create-vpc-flow-log-1

The next screen is a wizard to help you set up flow logs.  You can choose to collect accepted and/or rejected traffic.  Some people prefer one log for accepted and another for rejected.  I prefer both types of traffic in the same log.  The next step is to select an IAM role to allow flow logs to be published.  The easiest create the role is to click the “Set Up Permissions” link.  Finally, you need to select a Destination Log Group in Cloudwatch.  I recommend a name of “FlowLogs.”

create-vpc-flow-log-2

If you clicked “Set Up Permissions,” you will see an IAM wizard as shown below.  Let it create a new IAM role for you.  Give the role a name that will help you remember its purpose such as “FlowLogsRole.”

create-iam-role-flow-logs

Viewing VPC Flow Logs

To view your flow logs, go to AWS CloudWatch, and then select “Logs” on the left hand side of the screen.  This will give you a list of your log groups.  Select your FlowLogs group (or whatever group name you provided when you set up  VPC Flow Logs.

vpc-flow-logs-cloudwatch

The logs are grouped according to the Elastic Network Interface (ENI) attached to your EC2 instance or Elastic Load Balancer (ELB).  To find your EC2 instance’s ENI, go to EC2, select your instance, then on the description tab, find the network interfaces and click on the link (probably eth0) as shown below.  The interface ID is what you need to find the correct log within your Flow Logs.

how-to-find-ec2-elastic-network-interface

Back in your VPC Flow Logs you can search for the logs related to this network interface to see all accepted and rejected traffic.

Filtering and Understanding VPC Flow Logs

Usually, you are not interested in wading through all of the accepted and rejected traffic for your EC2 instance.  You are likely interested in a particular subset of that traffic.  That may be all rejected traffic, all traffic to or from a specific address or using a specific port.  To find that traffic, you can use filtering.

To filter traffic, start by pasting the text below into the filter field.  The text below does not filter anything, but we will see how to filter next.

[version, accountid, interfaceid, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, logstatus]

To begin filtering, simply add =value to one or more of the fields to limit your results to only those fields.  For example, perhaps I want to see all rejected traffic.  I can use

[version, accountid, interfaceid, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action=REJECT, logstatus]

The format of the filter also represents the content of the fields in the VPC Log.  For example, the fourth field in your log is the source IP address of the traffic.  That is followed by the destination IP address and then source and destination ports.

When I run the filter above, I see several external systems trying to connect on port 23 (telnet) and port 80 (http).  I’m not using telnet (of course!), and I’m not running a web server, so port 80 is closed at the security group layer.  It is likely that this traffic is malicious attempts to hack into my EC2 instance.  But, I don’t have to worry about it, because it is all being rejected.

security-groups-block-malicious-traffic

In the first row that I expanded, we can see that an attempt was made to connect to port 23, and this attempt originated from IP address 78.10.107.73.  In the second expanded row, we see an attempt to connect to port 80 from IP address 72.21.217.71.  Both attempts were rejected.

For a few more details on the fields in VPC

Exporting VPC Flow Logs

Filtering flow logs is convenient for a quick look at your network traffic.  For example if you are trying to allow two instances in different security groups to communicate and it is not working, you might be able to quickly see what traffic is allowed and rejected between them by filtering on source and/or destination addresses.

But if you want to do a more detailed analysis of your network traffic, Flow Log filtering is not the way to go.  For this, you need to export your logs and then import them into another tool such as a relational database or other analytical system.

You can export flow logs to S3, stream them to Lambda, or stream them to ElastiSearch.  To do so, go to CloudWatch, click “Logs,” select your log group and click the “Actions” button as shown below…

how-to-export-vpc-flow-logs

Triggering Alerts from VPC Flow Logs

The ability to stream CloudWatch logs to Lambda functions means it is possible to write custom logic such as alerts to notify you of security issues.  One example might be that you want to be alerted of any rejected traffic originating from within your VPC.  Rejected traffic might indicate something such as a compromised web server that is being used to probe the rest of your network.  I would not fire alerts based on rejected traffic from external sources.  Any public IP address will constantly be probed for weaknesses.  Good Security Group settings and a good Web Application Firewall will protect you from those attacks.  Rejected traffic originating from within your network, on the other hand, can be a real cause for alarm.

Lambda offers a built-in template for building a function that processes CloudWatch Logs such as VPC Flow Logs.  Filters can be applied to avoid triggering the Lambda function too often which may go a long way towards reducing your costs.  Writing and configuring this Lambda function is a subject for a future post.