4.6 Ensure that a log metric filter for the Cloudwatch group assigned to the "VPC Flow Logs" is created


This recommendation builds upon the Foundation benchmark recommendation: "Ensure VPC Flow Logging is Enabled in all Applicable Regions"

VPC FLOW LOGS is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. VPC flow logs can capture accepted traffic, rejected traffic, or all traffic.

METRIC FILTERS can be used to express how the service would extract metric observations from ingested events and transform them to data points in a CloudWatch metric. Metric filters are assigned to log groups, and all of the filters assigned to a log group are applied to their log streams.

A metric filter should be created for counting how many IP packets are rejected in the VPC flow logs.
For being able to quantify and have an accurate image of the rejected IP packets in the VPC, a metric filter must be assigned to the Cloudwatch log group created by the "VPC Flow Logs".


Using the Amazon unified command line interface:

* Create a metric filter for the Cloudwatch Log group assigned to the "VPC Flow Logs":

aws logs put-metric-filter --log-group-name <_vpc_flow_log_group_name_> --filter-name <_vpc_flow_log___filter_name>_ --filter-pattern "{ $.errorCode = \"AccessDenied\" }" --metric-transformations metricName=<_vpc_flow_log___metric_name>_,metricNamespace=LogMetrics,metricValue=1

See Also


Item Details


References: 800-53|AU-9(4)

Plugin: amazon_aws

Control ID: 5bf6ba6994f1591200b9f7be4eb27039532ceb8bdb56fb59dcecbdf4d5e510b6