aws attacks ec2 Removing VPC flow logs

Removing VPC flow logs

PLATFORM

SERVICE

ec2

DATA BREACHES

unknown

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

medium

About

An attacker can disable VPC flow logs to hide their network activity.

Understanding Impact

Business Impact

VPC flow logs provides visibility into network traffic. An attacker disabling VPC flow logs can tamper with evidence, greatly increasing the cost and effort needed for incident response and forensics.

Technical Impact

When VPC flow logs are disabled, metadata about the traffic in your VPC is no longer captured.

Detection

You can identify when VPC flow logs are removed using the CloudTrail event DeleteFlowLogs.

When this event is logged close to DeleteVpc for the same VPC, the activity is likely legitimate as it corresponds to the whole VPC being removed (and not only logs).

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.defense-evasion.vpc-remove-flow-logs

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS VPC Flow Log Deleted".

References

Stratus Red Team - Remove VPC Flow Logs

stratus-red-team.cloud

Working with flow logs

aws documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all