VPC Flow Logs Analysis

 

In AWS you can monitor the flow of traffic looking at the metadata available in VPC Flow Logs , or if you need to do analysis of the complete traffic (Full packet capture), you can use Traffic Mirroring .

Some SIEM solutions have the capability of analyzing VPC Flow Logs (such as Splunk and QRadar).

It’s possible to send the VPC Flow Logs to Amazon CloudWatch or through Amazon Kinesis Firehose to an Amazon S3 bucket, to be queried using Athena .

Notes:

  • It can be activated on the whole Amazon VPC, on a subnet or on a network interface.
  • VPC Flow Logs can be filtered according to your needs
  • Options: All, Rejected, Accepted packages.
  • It’s an Agentless data collection

Architecture

VPC Flow Logs

Sample VPC Flow log

VPC Flow Logs

Flow Logs visualization example

VPC Flow Logs

For more information on how to build this visualization it is recommended to review the following blogpost: How to Visualize and Refine Your Network’s Security by Adding Security Group IDs to Your VPC Flow Logs

Pricing

https://aws.amazon.com/cloudwatch/pricing/