Enable VPC Flow Logs Across All Regions in All Accounts

The Center for Internet Security (CIS) is well known for providing hardening and security oriented recommendations.

In the CIS Amazon Web Services Benchmarks, VPC flow logs are identified as a requirement in all regions for Benchmark 4.3.

While there are measures to enable flow logs on newly created VPCs using CloudWatch and Lambda, the fact is that the default VPCs will be unaffected. Below I explain my method for deploying scripts across all accounts in our AWS Organizations and use it to enable VPC flow logs on all default VPCs.

Use Case

Early governance of VPC flow logs dictated that they be created with CloudWatch logs as the source for the flow logs. In late 2018, AWS added S3 as a destination for these logs, which allowed for better consolidation of the logs into a centralized logging account as described by AWS best practices. This script will create new S3-base VPC flow logs and delete existing CloudWatch-based flow logs. This will not delete the logs themselves, just prevent the creation of new logs in that CloudWatch destination.

While SSO through ADFS is our traditional way to authenticate to all accounts, MFA makes automation a little more difficult. With >100 accounts, manually authenticating to each account to run a script wasn’t really an idea I was ready to entertain.

Prerequisites

1. A role in all accounts that trusts one of the accounts in your Organization and has rights to create VPC flow logs (If all accounts were deployed through Organizations API, the Organizations master account can be used.)
2. Linux EC2 instance running in the trusted centralized account.
3. jq JSON processor installed on the EC2 instance.
4. Instance Profile attached to the instance with sts:AssumeRole Allowed.
5. A list of all AWS accounts saved in a text file on the EC2 instance.
6. S3 Bucket configured for VPC flow logs

The Script

…but first - Please note that this is a very power tool that could lead to misconfigurations across all accounts. This is not a tool that I recommend giving to an entry level AWS engineer.

Additionally, this is what I used to get what I needed accomplished. I am not proficient in bash, but found that this was easier to throw together than anything else. Comments and suggestions are always appreciated.

Code can be found here (updated 4/5/19).