VPC Flow Logs provide forensic logs utilised for tracking breach origins and lateral movement. Missing or unconfigured flow logs deny access to vital forensic data
VPC flow logs capture network traffic within and at the boundaries of your VPC, recording details such as originating and destination IP addresses, timestamps, and other metadata. These logs provide a comprehensive view of the traffic within your VPC, which is crucial for monitoring your environments. They help detect intrusions and lateral movement within your private network, aiding both real-time detection and forensic analysis after an incident.
Without VPC flow logs, network traffic is essentially untracked, meaning that in the event of a breach or other security incident, the records of communications and paths taken by attackers will not be available for review. For environments requiring intrusion detection and the ability to respond to compromises, flow logs serve as a critical source of truth, enabling you to trace movements and assess what resources or data may have been accessed.
Though maintaining flow logs can incur costs, effective management strategies such as setting retention periods or using lifecycle policies for CloudWatch logs can help rotate out unneeded data. Additionally, flow log formats are compatible with third-party tools for further analysis, allowing organizations to process and analyze logs quickly. This reduces the need for long-term storage, as relevant data is immediately available and unnecessary information can be discarded once analyzed.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
In addition to detecting VPCs without flow logs configured, our Vulnerability Assessment usually uncovers a number of Default VPC Violations. Default VPCs initialised by AWS do not have Flow Logs configured and are therefore detected by our scans. Getting a scan will find all your unconfigured networks including those that are best removed.