SYSTEM Cited by 1 source
Amazon VPC Flow Logs¶
Definition¶
Amazon VPC Flow Logs is the AWS service that records network traffic metadata flowing through Elastic Network Interfaces (ENIs) in a Virtual Private Cloud (VPC). Each log record captures source/ destination IP, ports, protocol, action (ACCEPT/REJECT), and byte counts for a flow.
In cyber-resilience designs, VPC Flow Logs is one of the five investigation-timeline sources for reconstructing what happened during a cyber event.
Verbatim from the canonicalising source:
"Query AWS CloudTrail, Amazon VPC Flow Logs, Amazon GuardDuty findings, AWS Security Hub, and workload logs to identify the earliest indicator of the event." (Source: sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events)
Why VPC Flow Logs in cyber-event investigation¶
While CloudTrail captures control-plane activity, VPC Flow Logs captures data-plane network activity. The two together provide complementary visibility:
| Source | Captures | Misses |
|---|---|---|
| CloudTrail | API calls (control plane) | What flowed through the network after API calls |
| VPC Flow Logs | Network flows (data plane) | What configuration changes preceded the flows |
Cyber-event investigation patterns that need VPC Flow Logs:
- Lateral movement — adversary moving between subnets / VPCs after initial compromise; visible as unusual east-west traffic patterns.
- Data exfiltration — large outbound transfers to attacker- controlled destinations; visible as unusual egress byte counts.
- Command-and-control (C2) — periodic outbound connections to known-bad IP addresses; visible as repeated flows to specific destinations.
- Failed connections indicating reconnaissance — adversary scanning for accessible services; visible as REJECT actions on unusual ports.
- Tunnel detection — flows to unusual destinations on common ports (SSH on 443, etc.) suggesting protocol tunnelling.
Log record fields¶
Default Flow Logs records include:
- Version, account-id, interface-id.
- srcaddr, dstaddr, srcport, dstport, protocol.
- packets, bytes.
- start, end (timestamps).
- action (ACCEPT / REJECT).
- log-status.
Custom formats can add fields like VPC ID, subnet ID, instance ID, TCP flags, traffic type — useful for correlating with CloudTrail events or for investigating specific instances.
Storage destinations¶
VPC Flow Logs can deliver to:
- CloudWatch Logs — for real-time alerting / queries via CloudWatch Logs Insights.
- S3 — for long-term retention, batch analysis (e.g. Athena queries), SIEM ingest.
- Amazon Data Firehose — for streaming to third-party analytics.
For cyber-resilience, long-retention S3 storage is typically required because investigations may go back days to months — beyond typical CloudWatch Logs retention windows.
Sampling and cost¶
VPC Flow Logs can be expensive at scale because they capture every flow. Common cost-management approaches:
- Sampling — record only a fraction of flows (loses some data but reduces cost).
- Selective per-VPC enablement — enable only on VPCs with sensitive workloads (rest of VPCs rely on perimeter monitoring).
- Aggregation interval tuning — longer intervals (60s vs 10s) reduce log volume.
For cyber-resilience-critical workloads, sampling is generally not recommended because the missing flows might be the ones the investigation needs.
Composition with other investigation sources¶
VPC Flow Logs typically gets correlated with:
- CloudTrail — link a flow to the API call that created the resource that generated it.
- GuardDuty findings — GuardDuty consumes VPC Flow Logs as a detection input; findings reference flow data.
- VPC Reachability Analyzer — for reasoning about reachability between resources at a given point in time.
- AWS Config — historical configuration of VPC / security groups at the time of a flow.
Cyber-resilience-specific use: lateral movement detection¶
A characteristic cyber-event pattern: adversary compromises one instance, then moves laterally to other instances in the VPC. This pattern surfaces in Flow Logs as:
- East-west flows between instances that historically don't communicate.
- Flows on management ports (SSH 22, RDP 3389) initiated from unusual sources.
- Repeated flow attempts (REJECTs) on closed ports — reconnaissance.
These patterns are often invisible in CloudTrail (lateral movement typically uses normal application protocols, not API calls) but distinctive in Flow Logs.
Generalisation beyond AWS¶
Equivalent network-flow logging services:
- GCP VPC Flow Logs — equivalent functionality.
- Azure NSG Flow Logs — captures traffic through Network Security Groups.
- On-prem — NetFlow / sFlow / IPFIX from network devices.
The structural property: per-flow metadata as the data-plane investigation substrate, complementary to control-plane audit logs.
Seen in¶
- sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — canonical wiki reference; first wiki canonicalisation as a dedicated system page; second source listed for investigation timeline construction; complementary to CloudTrail at the data- plane altitude.
Related¶
- systems/aws-cloudtrail — sibling control-plane investigation source.
- systems/amazon-guardduty — consumes VPC Flow Logs as detection input; sibling investigation source.
- systems/aws-security-hub — aggregates findings from GuardDuty
- others.
- concepts/compromise-boundary-recovery-point-selection — the algorithm Flow Logs evidence drives.
- concepts/cyber-resilience — the parent posture.