☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • What are VPC Flow Logs?
  • How VPC Flow Logs Work
  • Log Record Structure of VPC Flow Logs
  • Use Cases for VPC Flow Logs in Threat Hunting
  1. Logging Reference

VPCFlow Logs

What are VPC Flow Logs?

VPC Flow Logs are a feature in AWS that captures metadata about the IP traffic flowing to and from network interfaces within a Virtual Private Cloud (VPC). These logs are essential for network traffic analysis, troubleshooting, compliance auditing, and threat detection.

Each flow log entry provides information such as source IP, destination IP, ports, protocols, and whether the traffic was accepted or rejected. For threat hunters, VPC Flow Logs offer insight into potential attacks, data exfiltration, lateral movement, and policy violations.

How VPC Flow Logs Work

  1. Data Collection Scope VPC Flow Logs can be created at three levels:

    • VPC level: Captures all traffic within the VPC.

    • Subnet level: Captures traffic specific to a subnet.

    • Network Interface level: Captures traffic specific to an Elastic Network Interface (ENI).

  2. Log Destination VPC Flow Logs are stored in one of the following:

    • CloudWatch Logs: Use CloudWatch Insights to query logs.

    • S3 Bucket: Query logs with Amazon Athena.

    • Kinesis Data Firehose: Stream logs to external systems like SIEMs.

Log Record Structure of VPC Flow Logs

Each log entry contains several fields that describe the flow of network traffic. Below is the structure of a typical VPC Flow Log entry:

Field

Description

version

Version of the flow log format

account-id

AWS account ID of the owner

interface-id

Network interface through which traffic passed

srcaddr

Source IP address

dstaddr

Destination IP address

srcport

Source port number

dstport

Destination port number

protocol

Protocol number (e.g., 6 for TCP, 17 for UDP)

packets

Number of packets transferred during the flow

bytes

Total bytes transferred

start

Start time of the flow in epoch seconds

end

End time of the flow in epoch seconds

action

ACCEPT or REJECT (indicates if traffic was allowed or denied)

log-status

OK, NODATA, or SKIPDATA (log status)

Use Cases for VPC Flow Logs in Threat Hunting

1. Identifying Suspicious Network Traffic

Look for blocked traffic or inbound traffic from unfamiliar IPs that could indicate a reconnaissance attempt or attack. Example Query: Find blocked traffic from suspicious IP ranges.

SELECT srcAddr, dstAddr, action, bytes, start, end
FROM vpc_flow_logs
WHERE action = 'REJECT'
AND srcAddr LIKE '203.%';

2. Detecting Data Exfiltration Attempts

Monitor outbound traffic to unexpected regions or large volumes of data leaving the network. Example Query: Identify flows with more than 100MB transferred.

SELECT srcAddr, dstAddr, SUM(bytes) AS total_bytes
FROM vpc_flow_logs
WHERE action = 'ACCEPT'
GROUP BY srcAddr, dstAddr
HAVING total_bytes > 100000000;

3. Tracking Lateral Movement within a VPC

Use VPC Flow Logs to detect unusual internal connections between instances, which could indicate lateral movement by an attacker. Example Query: Identify traffic between EC2 instances within the same VPC.

SELECT srcAddr, dstAddr, protocol, bytes, start, end
FROM vpc_flow_logs
WHERE srcAddr LIKE '10.0.%' AND dstAddr LIKE '10.0.%';

4. Troubleshooting Network Issues

Identify failed connections or blocked attempts to understand misconfigurations or potential denial-of-service (DoS) activity. Example Query: Identify repeated failed connection attempts.

SELECT srcAddr, dstAddr, COUNT(*) AS failed_attempts
FROM vpc_flow_logs
WHERE action = 'REJECT'
GROUP BY srcAddr, dstAddr
HAVING failed_attempts > 10;

Challenges and Best Practices in Using VPC Flow Logs

  1. Handling Large Data Volumes VPC Flow Logs can generate significant volumes of data. Use partitioned tables in Athena or CloudWatch Insights filters to reduce query time and cost.

  2. Monitoring for Silent Traffic Some attacks (e.g., malware) use low-bandwidth traffic to avoid detection. Regularly inspect all traffic types, including low-volume flows.

  3. Correlating Logs across Services Combine VPC Flow Logs with CloudTrail and GuardDuty findings to get a complete picture of network and API activities.

  4. Using Security Groups and NACLs Tune your Security Groups and Network ACLs to minimize unnecessary traffic. Use VPC Flow Logs to audit these rules and detect policy violations.

PreviousAPI ReferencesNextGuardDuty

Last updated 8 months ago