Compliance

Enable VPC flow logs in every VPC

Security Hub EC2.6 — without flow logs you have no network audit trail. Investigations and threat detection need them.

12 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: EC2.6

VPC flow logs: the basics

What does a flow log actually capture?

VPC flow logs are AWS's network-layer audit trail. Once enabled on a VPC, every packet that crosses an Elastic Network Interface (ENI) inside it produces a log record containing the source and destination IP, source and destination ports, protocol number, action (ACCEPT or REJECT — i.e. whether the Security Group or NACL allowed it), byte and packet counts, and timestamps for the start and end of the flow. They are metadata-only — no payloads — but they're more than enough to reconstruct who talked to whom, when, and whether the firewall stopped them.

The catch is that flow logs are off by default. A new VPC produces zero log records until someone explicitly turns the feature on, and the AWS Console doesn't surface a warning when they're missing. Security Hub control EC2.6 ("VPC flow logging should be enabled in all VPCs") exists for exactly this reason: it sweeps every VPC in every region and fails any that don't have at least one active flow log resource attached.

Without flow logs you have no idea what's happening on your network. The first time you'll wish you had them is during an incident — when GuardDuty fires a finding and the investigation needs to know which other hosts the attacker touched. By then it's too late: AWS does not retroactively reconstruct flows you didn't ask it to capture.

In this lesson you'll learn what a VPC flow log captures, how to pick the right destination (CloudWatch Logs vs S3 vs Kinesis Firehose) for your use case and budget, how to scope the filter and aggregation interval to keep costs sane, and how to bulk-enable flow logs across an account so no VPC ever ships without an audit trail.

Fun fact

GuardDuty is reading flow logs whether you can see them or not

Amazon GuardDuty ingests VPC flow logs implicitly for any account that has GuardDuty enabled — even if you, the customer, haven't turned flow logs on. That's how it spots crypto-miner traffic and command-and-control beacons. The catch: GuardDuty keeps that data internal. When it fires a finding and you want to investigate which other hosts the suspect IP touched, you'll find there are no flow logs to query unless you'd already enabled them yourself. GuardDuty raises the alarm; flow logs are the forensics.

Enabling flow logs in action

Marco joined a fintech six weeks ago as their first dedicated cloud security engineer. The Security Hub dashboard is a sea of red — among other things, EC2.6 is failing on 23 of the company's 31 VPCs across four regions. No flow logs anywhere.

He starts by enumerating which VPCs are unprotected. He doesn't want to enable flow logs on the eight that already have them — that's just duplicated cost.

Then he picks a destination: S3 with Athena for the cheap long-term audit trail, plus a small CloudWatch Logs feed on the production VPC for real-time alerting via Logs Insights.

First, find every VPC in the region that doesn't already have a flow log. Cross-reference describe-vpcs against describe-flow-logs.

$ aws ec2 describe-vpcs --query 'Vpcs[].VpcId' --output text | tr '\t' '\n' | while read v; do n=$(aws ec2 describe-flow-logs --filter Name=resource-id,Values=$v --query 'length(FlowLogs)' --output text); [ "$n" = "0" ] && echo "$v MISSING" || echo "$v ok"; done

vpc-0a1b2c3d4e5f60001 MISSING

vpc-0a1b2c3d4e5f60002 ok

vpc-0a1b2c3d4e5f60003 MISSING

vpc-0a1b2c3d4e5f60004 MISSING

vpc-0a1b2c3d4e5f60005 ok

# Three of five VPCs in this region have no flow log at all.

Inventory of unprotected VPCs in the region.

Now enable a flow log on one of the missing VPCs, shipping to S3 with a 600-second aggregation interval and the ALL filter for full visibility.

$ aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-0a1b2c3d4e5f60001 --traffic-type ALL --log-destination-type s3 --log-destination arn:aws:s3:::acme-flow-logs-eu-west-1/AWSLogs/ --max-aggregation-interval 600

{

"ClientToken": "abc123XYZ==",

"FlowLogIds": [

"fl-0123456789abcdef0"

"Unsuccessful": []

}

# Flow log active within ~10 min. EC2.6 will pass on next Security Hub scan.

VPC flow log live, shipping to S3 for cheap retention and Athena queries.

Flow logs under the hooddeep dive

Flow logs are not packet captures — they're flow records, one per (5-tuple, action, aggregation window). The 5-tuple is (src IP, dst IP, src port, dst port, protocol). The aggregation window is configurable: 60 seconds (the default and the only option for ENI-level logs on older instance types) or 600 seconds. Doubling the window roughly halves the record count and therefore halves the storage and ingest cost, which matters once a busy VPC starts producing tens of millions of records per day.

You pick one of three destinations per flow log. CloudWatch Logs lets you query interactively with Logs Insights and triggers metric filters and alarms in seconds — but it bills at roughly $0.50 per GB ingested plus storage, which on a chatty VPC adds up fast. S3 is the cheap option, around $0.023/GB/month for storage with Athena charged per-query — perfect for the long-term audit trail and ad-hoc investigations. Kinesis Data Firehose is the real-time pipeline option: stream flow logs straight into a SIEM (Splunk, Datadog, Sumo Logic) for correlation with other security telemetry.

The traffic-type filter controls what gets captured. ALL is the default and the safest for forensics — every accepted and rejected flow. REJECT-only is the cheapest baseline and surfaces blocked traffic (useful for spotting attempted intrusions and misconfigured services that can't reach what they need). ACCEPT-only filters down to allowed traffic, which is what you want for egress analysis but blinds you to attacks that were blocked.

# Three destination patterns for the same VPC, picked by use case.

# 1. CloudWatch Logs for real-time alerting via Logs Insights.
aws ec2 create-flow-logs \
  --resource-type VPC --resource-ids vpc-0a1b2c3d4e5f60001 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /aws/vpc/flow-logs \
  --deliver-logs-permission-arn arn:aws:iam::123456789012:role/flow-logs-role

# 2. S3 for cheap long-term storage + Athena queries.
aws ec2 create-flow-logs \
  --resource-type VPC --resource-ids vpc-0a1b2c3d4e5f60001 \
  --traffic-type ALL \
  --log-destination-type s3 \
  --log-destination arn:aws:s3:::acme-flow-logs-eu-west-1/AWSLogs/ \
  --max-aggregation-interval 600

# 3. Kinesis Firehose for SIEM streaming.
aws ec2 create-flow-logs \
  --resource-type VPC --resource-ids vpc-0a1b2c3d4e5f60001 \
  --traffic-type ALL \
  --log-destination-type kinesis-data-firehose \
  --log-destination arn:aws:firehose:eu-west-1:123456789012:deliverystream/flow-logs-to-siem

What is the impact of leaving flow logs disabled?

The first impact is forensic blindness. When an incident happens — a leaked credential, a misconfigured S3 bucket, a compromised instance — the investigation needs to know which IPs the affected resources talked to, when, and how much data moved. Without flow logs, that question has no answer. You can rotate credentials and rebuild instances, but you can't tell the board, a regulator, or a customer what was exfiltrated.

The second impact is regulatory. SOC 2 CC7.2, ISO 27001 A.12.4, PCI DSS Requirement 10, and HIPAA all expect network access to be logged and reviewable. An auditor asking for six months of network-flow evidence is not a question you want to answer with "we didn't have flow logs on." Security Hub's EC2.6 finding becomes audit evidence the moment they walk in.

The third impact is detection. While GuardDuty consumes flow logs implicitly for its own analysis, more sophisticated detection — egress anomaly detection (an instance suddenly talking to a country it never has before), lateral movement detection (an internal IP scanning the VPC), exfiltration detection (an instance pushing gigabytes outbound at 3am) — requires that you have your own copy of the data to query, alert on, and correlate with other signals.

The cost of enabling flow logs is small and predictable: S3 with a 600s aggregation interval and ALL traffic typically runs $50-$200 per month per busy VPC. The cost of needing them and not having them is a public breach disclosure, a six-figure incident-response engagement, and a regulator who is no longer interested in your explanation.

How do you enable flow logs everywhere?

Getting flow logs in place is a four-step loop. Done right, you do it once and never have a Security Hub EC2.6 finding again.

1. Inventory every VPC across every region

Run describe-vpcs in each enabled region and cross-reference describe-flow-logs to find the ones without coverage. Don't forget the default VPCs AWS creates in regions you've never touched — Security Hub will flag those too, and they're easy to miss because nobody's deployed anything into them. Either delete them or enable flow logs.

2. Pick a destination per environment, not per VPC

S3 with a single account-wide bucket (one prefix per VPC) is the cheap default for the long-term audit trail. Add CloudWatch Logs only on production VPCs where you want Logs Insights queries during an incident. Add Kinesis Firehose only if you have a SIEM that's actively correlating flow data — otherwise you'll pay for a pipe nobody reads.

3. Bulk-enable across the account in one script run

Don't fix EC2.6 one VPC at a time through the console — write the script once, run it across every region. The describe-vpcs / create-flow-logs loop with a check for existing flow logs is idempotent, so you can re-run it after any new VPC gets created and it'll only act on the gaps.

4. Prevent recurrence with AWS Config and SCPs

Enable the AWS Config managed rule vpc-flow-logs-enabled to alert within minutes whenever a new VPC ships without a flow log. For organisations using AWS Organizations, attach a Service Control Policy that denies ec2:CreateVpc unless it's accompanied by ec2:CreateFlowLogs — or simply auto-remediate via Config + Systems Manager Automation.

# Bulk-enable VPC flow logs to S3 across every region, skipping VPCs that already have one.
BUCKET_ARN="arn:aws:s3:::acme-flow-logs"

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  for vpc in $(aws ec2 describe-vpcs --region $region --query 'Vpcs[].VpcId' --output text); do
    existing=$(aws ec2 describe-flow-logs --region $region \
      --filter Name=resource-id,Values=$vpc \
      --query 'length(FlowLogs)' --output text)
    if [ "$existing" = "0" ]; then
      echo "[$region] enabling flow log on $vpc"
      aws ec2 create-flow-logs --region $region \
        --resource-type VPC --resource-ids $vpc \
        --traffic-type ALL \
        --log-destination-type s3 \
        --log-destination $BUCKET_ARN/$region/ \
        --max-aggregation-interval 600
    fi
  done
done

Quick quiz

Question 1 of 5

You need a cheap long-term audit trail for forensics and ad-hoc investigations across 30 VPCs. Which destination + filter combination fits best?

Keep learning

Dig deeper into VPC flow logs, network forensics, and the AWS detection stack.

You've completed Enable VPC flow logs in every VPC. You now know what flow logs actually capture, how to pick a destination by use case and budget, how to bulk-enable across an account, and how to prevent gaps from recurring with AWS Config and SCPs. The next time Security Hub fires an EC2.6 finding — or worse, an incident lands and someone asks "who did that instance talk to?" — you'll have the four-step loop and the audit trail ready to run.

Back to the library

VPC flow logs: what they cost and what they buy

A small, predictable logging spend that covers the audit trail regulators and incident responders demand

A VPC is AWS's private network — it's the envelope that contains every compute resource, database, and service a workload runs on. VPC flow logs are the network-level record of what talked to what inside that envelope: source IP, destination IP, ports, protocol, whether the traffic was allowed or blocked, and how much data moved. They do not capture the content of traffic, only the connection metadata. Security Hub control EC2.6 flags every VPC that has no active flow log — meaning no network audit trail at all.

From a cost-ownership perspective, flow logs are an operating cost with a known price structure. Sending logs to S3 with a ten-minute aggregation window runs roughly $50–$200 per month per busy VPC; a quieter environment VPC is considerably less. CloudWatch Logs costs more per GB but enables real-time alerting. The right model is to budget at the environment tier: a cheap S3 destination for all VPCs as the baseline audit trail, CloudWatch Logs added only for production VPCs where real-time incident detection has clear value.

The financial risk of not having flow logs is asymmetric and hard to cap. A breach response without network visibility costs six to seven figures in forensic-consultant time — and may still not answer the regulator's question. PCI DSS, SOC 2, ISO 27001, and HIPAA all require network access logging; a missing flow log on a VPC that touches in-scope data is a direct audit finding. The Security Hub EC2.6 flag is not a discretionary cost; for regulated environments it is a compliance obligation with a known, modest price tag.

This lesson is for the finance partner who owns the cloud logging budget and needs to understand what VPC flow logs actually cost, where that spend goes, and why eliminating them to cut the bill is the wrong trade. It covers the three destination options and their price structures, the aggregation interval that halves storage cost, and how to set an environment-tier policy so the spend is predictable and every VPC in scope for compliance has a documented audit trail. No AWS CLI knowledge required.

Fun fact

GuardDuty is reading flow logs whether you can see them or not

How a finance partner frames the flow logs cost decision

Dana is the finance partner for the same fintech. When the Security Hub report lands showing 23 VPCs with no flow logs, her first question is not 'how much does it cost to turn them on?' It's 'what are these 23 VPCs, and which ones are in scope for our PCI DSS audit next quarter?'

The team quickly categorises the VPCs: seven are production environments that handle card data and are directly in compliance scope; twelve are staging and development; four are legacy test environments nobody remembers creating. Dana agrees the production seven need S3 flow logs immediately — the PCI auditor will ask for six months of network logs and there are only six weeks until the audit. She budgets roughly $800/month for S3 ingestion and storage across the seven, which she frames as a known audit-preparation cost, not a discretionary security ask.

For the twelve staging VPCs she and the engineering lead agree on a lighter baseline: S3 logs enabled to satisfy EC2.6, but no CloudWatch Logs overlay, and the 600-second aggregation interval to keep volume — and cost — down. The four legacy environments are scheduled for deletion; in the meantime they get minimal S3 logs just to clear the finding. Dana's summary for the next finance review: 'Network audit trail now covers 100% of VPCs; production logging costs $800/month, a planned line against compliance readiness.'

The cost of not having flow logs versus the cost of having them

The unit economics of flow logs are straightforward. S3 storage at $0.023/GB/month, plus data ingestion, plus occasional Athena query costs: a typical busy production VPC runs $50–$200/month all-in with a 600-second aggregation interval and ALL traffic. A lighter environment VPC with REJECT-only filtering can run under $20/month. These are predictable, budgetable line items tied to network volume — not open-ended variable costs.

Against that, model the uninsured exposure. A breach investigation without network visibility typically requires a specialist forensic firm at $300–$500/hour for several weeks — often $150,000 to $500,000 in incident-response cost alone, before legal fees, customer notification, and regulatory response. And that's with a cooperative outcome. An audit finding for a missing network log under PCI DSS or HIPAA can trigger remediation mandates, fines, and elevated future scrutiny that dwarf the logging cost.

From a budget governance perspective, the right framing is: flow logs are a compliance infrastructure cost that should be a standing line in the cloud budget, tiered by environment. Production VPCs get full ALL-traffic S3 logging as a baseline; lower environments get the cheaper REJECT-only or a smaller aggregation window. That keeps the spend proportionate while ensuring every VPC in regulatory scope has a defensible audit trail.

The finance sign-off question for any exception — a VPC without flow logs — should be: 'Is this VPC outside all regulatory scope, and do we have written documentation of that decision?' If the answer is anything other than a clean yes, the logging cost is cheaper than the alternative.

How finance drives EC2.6 remediation without running AWS commands

Finance owns the framing that makes flow logs a planned spend rather than an ad-hoc ask. Three levers that actually move the needle.

1. Add flow logs to the environment-tier budget model

Work with engineering to agree a per-environment logging standard: production VPCs get S3 ALL-traffic logging at the full rate; staging and dev get REJECT-only or the 600-second aggregation window. Encode those tier costs as a standing line in the cloud budget so that enabling flow logs on a new VPC is a planned cost, not a surprise variance — and suppressing them on a production VPC requires an explicit budget exception with a documented risk owner.

2. Track EC2.6 failures by compliance scope, not just count

Raw EC2.6 finding counts are misleading — a missing flow log on a legacy test VPC and a missing flow log on a PCI-scoped production VPC are completely different risk events. Ask for the finding list segmented by environment tier and compliance scope. The metric that matters is: zero unlogged VPCs in any scope covered by PCI DSS, SOC 2, HIPAA, or similar. Everything else is a prioritised remediation queue, not a critical finding.

3. Price the logging cost against the incident it prevents

For any pushback on flow log spend, anchor the conversation to the alternative cost: a forensic incident-response engagement without network visibility routinely runs $150,000–$500,000. Against that, $200/month per production VPC is not a cost discussion — it's an insurance discussion. Framing it that way moves the conversation from 'can we defer this?' to 'which VPCs are we choosing not to insure?'

4. Require a documented risk owner for every exception

Any production or compliance-scoped VPC without flow logs should carry a named risk owner and a written justification that is reviewed at the quarterly security-and-cost review, not silently accepted. That converts an ignored finding into an auditable decision — which is what survives a regulator's questions after an incident.

Quick quiz

Question 1 of 5

A PCI DSS audit is six weeks away. Your team has seven production VPCs in scope with no flow logs. What is the right finance-led response?

Keep learning

Dig deeper into VPC flow logs, network forensics, and the AWS detection stack.

You've finished the finance partner view of EC2.6. You know the unit economics — S3 with a 600-second aggregation interval at $50–$200/month per production VPC — why the cost is a standing compliance-infrastructure line rather than a discretionary ask, how to tier it by environment to keep spend proportionate, and why a missing flow log on a compliance-scoped VPC is never a cost-saving decision. Next time this appears on the security review, you'll have the framing to move it from 'engineering backlog' to 'budgeted and closed.'

Back to the library

VPC flow logs: the one question

When something goes wrong, can we say what happened on the network?

Every cloud workload runs inside a virtual network called a VPC. By default, AWS records nothing about who connected to what inside that network. VPC flow logs change that: once enabled, AWS logs every network conversation — what talked to what, when, and whether it was allowed or blocked. Security Hub EC2.6 flags every VPC that is running without this logging.

The executive question this control answers is straightforward: if a breach or data-access incident occurs, can we reconstruct what happened on the network and tell a regulator or auditor who accessed what? Without flow logs the answer is no — and that gap shows up directly in PCI DSS, SOC 2, ISO 27001, and HIPAA audits. The cost is small and predictable; the exposure for not having it is not. A clean EC2.6 posture means every network segment has a logged audit trail by policy, not by luck.

A brief read for the executive who wants the plain-English version of why network logging matters and what the business risk of missing it looks like. You'll get the compliance context, the one-question test for whether this control is passing, and what a healthy posture looks like — every VPC covered, costs tiered by environment, and a standing guardrail so new VPCs can't ship without a log. No technical depth needed.

Fun fact

GuardDuty is reading flow logs whether you can see them or not

What the organisation looks like once EC2.6 is governed

Before the fintech addressed EC2.6, the CISO's honest answer to 'could we reconstruct a network breach?' was 'probably not.' No flow logs meant no audit trail. When the board asked about the upcoming PCI audit, the answer was uncomfortable.

After the remediation, the picture changed. Every production VPC logs all network flows to S3, with six months of retention. The security team can answer a forensic question — 'which other instances did that compromised host communicate with?' — in minutes using Athena. The PCI auditor got the network log evidence they asked for without escalation.

The governance change that made it stick was simple: a Config rule now fires within minutes if any new VPC ships without a flow log. The result is that 'do we have network visibility?' stopped being a question the organisation had to investigate and became a standing yes. That's the right end state — network logging as a default, governed by policy, not as a reaction to a finding or an audit.

Why this belongs on the executive risk register

The core risk from missing flow logs is not operational — it's accountability. When a breach or data-access incident occurs, the first question from a regulator, a board, or a cyber-insurance underwriter is 'what did the attacker access, and how do you know?' Without network flow logs, the honest answer is 'we don't know.' That answer is not acceptable to PCI DSS, SOC 2, ISO 27001, or HIPAA auditors, and it substantially weakens any insurance claim.

The practical consequence is that a breach without network visibility is always worse than a breach with it. The remediation scope becomes 'assume everything was touched' rather than 'here is exactly what was accessed.' The regulatory response is harder to bound. The customer notification obligation is broader. And the forensic bill is much larger.

This is why EC2.6 sits on the leadership risk register rather than the engineering backlog. The decision to enable flow logs is not a technical one — it's a risk-tolerance decision about whether the organisation can answer the accountability question if something goes wrong. A clean EC2.6 posture means the answer is yes, by design.

The leadership stance on EC2.6

The executive move is not to mandate a specific logging destination — it's to require that every VPC in scope for compliance or customer data has a network audit trail, by policy, with no exceptions that aren't signed off.

1. Set the standard: any VPC touching customer or regulated data is logged

Make it policy that network flow logging is a non-negotiable for any VPC that handles customer data, payment data, or data covered by a compliance framework. The technical team picks the destination; the policy sets the floor. That removes the per-VPC debate and means the answer to 'are we logging our regulated networks?' is always yes.

2. Accept that not every VPC needs production-grade logging

Internal development and test VPCs that are isolated from production and out of compliance scope can run with lighter or cheaper logging configurations. The goal is not uniform spend — it's appropriate coverage. A dev VPC with REJECT-only logging on a 600-second interval satisfies EC2.6 and costs almost nothing; requiring the same setup as a PCI-scoped production VPC wastes budget without buying additional protection.

3. Ask for a one-metric summary: what percentage of compliance-scoped VPCs are fully logged?

At the leadership review, the single question is: 'What share of our VPCs in regulatory scope have active network flow logs?' One hundred percent is the only acceptable answer. If it's not one hundred percent, the follow-up is 'who owns the exceptions and what is the remediation date?' That is a two-minute confidence check that requires no technical depth and creates the right accountability.

Quick quiz

Question 1 of 5

Your CISO reports that 100% of compliance-scoped production VPCs now have active flow logs, while development VPCs use a lighter REJECT-only configuration. Three legacy test VPCs with no active workloads remain unfixed. What is the right read?

Keep learning

Dig deeper into VPC flow logs, network forensics, and the AWS detection stack.

That's the lesson. Two takeaways: without flow logs the organisation cannot answer the accountability question after a breach, and for any VPC touching customer or regulated data that gap is not acceptable to auditors or insurers. The leadership standard is simple — every compliance-scoped VPC logged by policy, lighter coverage for lower environments, every exception named and signed off. EC2.6 at green means the answer to 'can we reconstruct what happened on the network?' is yes, by design.

Back to the library

Part of the learning path See what's happening

Enable VPC flow logs in every VPC

VPC flow logs: the basics

GuardDuty is reading flow logs whether you can see them or not

Enabling flow logs in action

Flow logs under the hooddeep dive

What is the impact of leaving flow logs disabled?

How do you enable flow logs everywhere?

1. Inventory every VPC across every region

2. Pick a destination per environment, not per VPC

3. Bulk-enable across the account in one script run

4. Prevent recurrence with AWS Config and SCPs

Quick quiz

Keep learning

VPC flow logs: what they cost and what they buy

GuardDuty is reading flow logs whether you can see them or not

How a finance partner frames the flow logs cost decision

The cost of not having flow logs versus the cost of having them

How finance drives EC2.6 remediation without running AWS commands

1. Add flow logs to the environment-tier budget model

2. Track EC2.6 failures by compliance scope, not just count

3. Price the logging cost against the incident it prevents

4. Require a documented risk owner for every exception

Quick quiz

Keep learning

VPC flow logs: the one question

GuardDuty is reading flow logs whether you can see them or not

What the organisation looks like once EC2.6 is governed

Why this belongs on the executive risk register

The leadership stance on EC2.6

1. Set the standard: any VPC touching customer or regulated data is logged

2. Accept that not every VPC needs production-grade logging

3. Ask for a one-metric summary: what percentage of compliance-scoped VPCs are fully logged?

Quick quiz

Keep learning

Related compliance lessons