Ensure flow logs are enabled for AWS Global Accelerator

MEDIUM

Description

AWS Global Accelerator has flow logging disabled. This may make audit challenging.

Remediation

In AWS Console -

Create an Amazon S3 bucket for your flow logs in your AWS account.
Add the required IAM policy for the AWS user who is enabling the flow logs.
Run the following AWS CLI command: 'aws globalaccelerator update-accelerator-attributes' with the '--flow-logs-enabled' flag to enable flow logs.

In Terraform -

In the aws_globalaccelerator_accelerator resource, set the flow_logs_enabled field to true.

References:
https://docs.aws.amazon.com/global-accelerator/latest/dg/monitoring-global-accelerator.flow-logs.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/globalaccelerator_accelerator#flow_logs_enabled

Policy Details

Rule Reference ID: AC_AWS_0127

CSP: AWS

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: aws_globalaccelerator_accelerator

Resource Category: Virtual Network

Resource Type: Global Accelerator

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF