More Info:

Ensure network firewall logging is enabled

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CBP,GDPR,HIPAA,ISO27001,SEBI

Triage and Remediation

Remediation

Using Console

To remediate the issue of Network Firewall Logging not being enabled for AWS EC2 instances, you can follow these steps using the AWS Management Console:
  1. Sign in to the AWS Management Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and sign in using your credentials.
  2. Navigate to the VPC Dashboard: Click on the “Services” dropdown in the top left corner of the console and select “VPC” under the Networking & Content Delivery section.
  3. Select the VPC: In the VPC Dashboard, select the Virtual Private Cloud (VPC) where your EC2 instances are located.
  4. Select the Network ACLs: In the VPC Dashboard, locate the “Network ACLs” option in the left-hand menu and click on it.
  5. Identify the Network ACL: Identify the Network Access Control List (NACL) associated with the subnet where your EC2 instances are located. Note down the NACL ID for future reference.
  6. Edit the Network ACL: Click on the NACL ID to open the details of the Network ACL.
  7. Add a Logging Configuration: In the Network ACL details, locate the “Network ACL entries” section and click on the “Edit” button.
  8. Enable Logging: In the Network ACL entries configuration, find the outbound and inbound rules that you want to enable logging for. Click on each rule and check the box for “Log” to enable logging for that rule.
  9. Save the Changes: After enabling logging for the necessary rules, click on the “Save” button to apply the changes to the Network ACL.
  10. Verify the Configuration: Once the changes are saved, verify that the Network Firewall Logging is enabled for the selected rules by checking the “Log” column in the Network ACL entries.
By following these steps, you can successfully enable Network Firewall Logging for the Network ACL associated with your AWS EC2 instances, helping you monitor and analyze the network traffic effectively.

To remediate the misconfiguration of network firewall logging not being enabled for AWS EC2 instances using AWS CLI, follow these steps:
  1. Enable VPC Flow Logs: VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. Run the following AWS CLI command to enable VPC Flow Logs for your VPC:
aws ec2 create-flow-logs --resource-type VPC --resource-ids <your-vpc-id> --traffic-type ALL --log-group-name <your-log-group-name> --deliver-logs-permission-arn <your-iam-role-arn>
Replace <your-vpc-id> with the ID of your VPC, <your-log-group-name> with the name of the CloudWatch Logs group where the flow logs will be stored, and <your-iam-role-arn> with the ARN of the IAM role that has permission to publish logs to CloudWatch Logs.
  1. Enable Security Group Logging: Security Group Logs provide detailed information about the traffic allowed or denied by security groups associated with your EC2 instances. Run the following AWS CLI command to enable security group logging:
aws ec2 create-flow-logs --resource-type NetworkInterface --resource-ids <your-network-interface-id> --traffic-type ALL --log-group-name <your-log-group-name> --deliver-logs-permission-arn <your-iam-role-arn>
Replace <your-network-interface-id> with the ID of the network interface associated with your EC2 instance.
  1. Verify Configuration: Once you have enabled VPC Flow Logs and Security Group Logs, verify that the logs are being generated and stored in the specified CloudWatch Logs group. You can do this by checking the CloudWatch Logs console or by using the AWS CLI to query the logs.
By following these steps, you can successfully remediate the misconfiguration of network firewall logging not being enabled for AWS EC2 instances using AWS CLI.
To remediate the network firewall logging misconfiguration for AWS EC2 using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Initialize the AWS EC2 client:
ec2 = boto3.client('ec2')
  1. Enable VPC Flow Logs for the desired VPC:
response = ec2.create_flow_logs(
    DeliverLogsPermissionArn='arn:aws:iam::123456789012:role/flow-logs-role',
    ResourceIds=['vpc-12345678'],
    ResourceType='VPC',
    TrafficType='ALL',
    LogDestinationType='cloud-watch-logs',
    LogDestination='arn:aws:logs:us-east-1:123456789012:log-group:flow-logs',
)
Replace the DeliverLogsPermissionArn, ResourceIds, and LogDestination with your specific values.
  1. Verify that the VPC Flow Logs have been enabled successfully:
response = ec2.describe_flow_logs()
for flow_log in response['FlowLogs']:
    print(flow_log)
By following these steps, you can use Python to enable network firewall logging for AWS EC2 instances.