AWS VPC Flow Logs
Location
VPC Flow Logs delivered to CloudWatch Logs, S3, or Kinesis Data FirehoseDescription
Network-flow records for Elastic Network Interfaces (ENIs) covering accepted and rejected traffic with source and destination addresses, ports, protocol, packets, bytes, action, and log status.
Forensic Value
VPC Flow Logs are the core AWS network evidence source for confirming connections between instances, containers, NAT gateways, and external infrastructure. They support exfiltration scoping, lateral-movement analysis, and identification of unmanaged assets that contacted attacker infrastructure. Even when packet capture is unavailable, flow logs establish who talked to whom, when, and at what volume.
Tools Required
Collection Commands
AWS CLI
aws ec2 describe-flow-logs --output json > vpc_flow_log_configs.json
AWS CLI
aws logs filter-log-events --log-group-name <vpc-flow-log-group> --start-time 1709251200000 --end-time 1709856000000 > vpc_flow_events.json
AWS CLI
aws s3 cp s3://<log-bucket>/AWSLogs/<account-id>/vpcflowlogs/ ./vpc-flow-logs/ --recursive
Collection Constraints
- •VPC Flow Logs provide network metadata only and never include packet payloads or decrypted application content.
- •Coverage depends on flow logging being enabled for the relevant VPCs, subnets, or ENIs before the incident window.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics
Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.