An attacker can disable VPC flow logs to hide their network activity.
VPC flow logs provides visibility into network traffic. An attacker disabling VPC flow logs can tamper with evidence, greatly increasing the cost and effort needed for incident response and forensics.
When VPC flow logs are disabled, metadata about the traffic in your VPC is no longer captured.
You can identify when VPC flow logs are removed using the CloudTrail event
When this event is logged close to
DeleteVpc for the same VPC, the activity is likely legitimate as it corresponds to the whole VPC being removed (and not only logs).
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.defense-evasion.vpc-remove-flow-logs
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS VPC Flow Log Deleted".
Stratus Red Team - Remove VPC Flow Logs
Working with flow logs