Cloud Incident Response Blog | Cado Security

Decoding Logs in the Cloud: AWS VPC Flow Logs

Written by Calum Hall | Aug 12, 2024 11:00:00 AM

In our "Decoding Logs in the Cloud" series, we aim to demystify the various log types you encounter in cloud environments. In our previous installment, we explored AWS CloudTrail logs. In this post, we'll take a look into AWS VPC Flow Logs, a crucial component for network monitoring and security in your AWS infrastructure.

 

Flow logs in VPC

What are AWS VPC Flow Logs?

AWS VPC (Virtual Private Cloud) Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. These logs are instrumental for:

Network Monitoring: Tracking traffic flow to identify bottlenecks, unusual patterns, or potential security threats.

Security Analysis: Detecting and investigating unauthorized access attempts or data exfiltration.

Compliance: Maintaining records of network traffic for regulatory requirements.

 

Importance of AWS VPC Flow Logs

VPC Flow Logs are invaluable for:

Troubleshooting: Identifying and resolving connectivity issues within your VPC.

Security Forensics: Analyzing traffic to detect malicious activities.

Performance Optimization: Understanding traffic patterns to optimize network performance.

 

Structure of AWS VPC Flow Logs

VPC Flow Logs are stored in a specified format that contains multiple fields. Each log entry represents a network flow and includes the following key fields:

  • version: The version of the flow log format.
  • account-id: The AWS account ID for the flow log.
  • interface-id: The ID of the network interface for which the log is generated.
  • srcaddr: The source IP address of the traffic.
  • dstaddr: The destination IP address of the traffic.
  • srcport: The source port of the traffic.
  • dstport: The destination port of the traffic.
  • protocol: The protocol number of the traffic (e.g., TCP, UDP).
  • packets: The number of packets transferred during the flow.
  • bytes: The number of bytes transferred during the flow.
  • start: The start time of the flow in Unix epoch time.
  • end: The end time of the flow in Unix epoch time.
  • action: The action taken (ACCEPT or REJECT).
  • log-status: The logging status (e.g., OK, NODATA, SKIPDATA).

 

Example of an AWS VPC Flow Log Entry

Here is an example of a VPC Flow Log entry for reference:

2 123456789012 eni-abc123def456 10.0.0.1 10.0.0.2 12345 80 6 10 840 1620382227 1620382287 ACCEPT OK


 

Analyzing AWS VPC Flow Logs

To effectively utilize VPC Flow Logs, you can:

  1. Centralize Logging: Store logs in Amazon S3 or Amazon CloudWatch Logs for centralized access and analysis.
  2. Automate Analysis: Use AWS Lambda functions to automate the analysis and detection of anomalies in your VPC traffic.
  3. Visualize Traffic: Leverage tools like Kibana or Amazon QuickSight to visualize network traffic patterns and gain insights.

 

The Cado Platform

Cado Security empowers security teams to get to the bottom of what happened faster. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.

Collect From Anywhere: whether it's a multi-cloud, container-based, serverless, SaaS, or on-premises set up. Automatically capture hundreds of data sources across cloud-provider logs, disk, memory, and more. No agent required means zero impact to production systems.

Cloud Native: Cado deploys natively within your cloud environment to ensure your unique data privacy requirements are met. You choose: to deploy in AWS, GovCloud, Azure, or GCP in minutes, decreasing time to investigation and eliminating egress costs.

Powerful Analytics: Collected data is enriched using third-party and proprietary threat intelligence. Key incident details such as root cause, compromised roles and assets, and a complete timeline of events are automatically surfaced. 

 

AWS VPC Flow Logs provide a detailed view of network traffic within your VPC, essential for maintaining network security, troubleshooting connectivity issues, and ensuring compliance. By understanding the structure and significance of these logs, you can enhance your cloud infrastructure's visibility and security posture.

In the next blog of this series, we'll explore another type of cloud log and continue our journey into decoding logs in the cloud.