Detection rules › Panther
AWS VPC Flow Logs
This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rule body yaml
AnalysisType: policy
Filename: aws_vpc_flow_logs.py
PolicyID: "AWS.VPC.FlowLogs"
DisplayName: "AWS VPC Flow Logs"
Enabled: true
ResourceTypes:
- AWS.EC2.VPC
Tags:
- AWS
- Security Control
- Defense Evasion:Impair Defenses
Reports:
CIS:
- 2.9
MITRE ATT&CK:
- TA0005:T1562
Severity: Medium
Description: >
This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-vpc-flow-logging-enabled
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Tests:
- Name: Flow Logging Not Enabled
ExpectedResult: false
Resource:
{
"CidrBlock": "172.31.0.0/16",
"CidrBlockAssociationSet":
[
{
"AssociationId": "vpc-cidr-assoc-112233",
"CidrBlock": "172.0.0.0/16",
"CidrBlockState":
{ "State": "associated", "StatusMessage": null },
},
],
"DhcpOptionsId": "dopt-1122e3344",
"FlowLogs": null,
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": null,
"IsDefault": true,
"NetworkAcls":
[
{
"Associations":
[
{
"NetworkAclAssociationId": "aclassoc-1122abc444",
"NetworkAclId": "acl-123abc",
"SubnetId": "subnet-123abc",
},
{
"NetworkAclAssociationId": "aclassoc-123abc",
"NetworkAclId": "acl-1122abc",
"SubnetId": "subnet-112233aabb",
},
],
"Entries":
[
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"IcmpTypeCode": null,
"Ipv6CidrBlock": null,
"PortRange": null,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 12345,
},
],
"IsDefault": true,
"NetworkAclId": "acl-123aabb",
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-1234321",
},
],
"OwnerId": "112233445566",
"RouteTables":
[
{
"Associations":
[
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-1122aa33",
"RouteTableId": "rtb-1122abc33",
"SubnetId": null,
},
],
"OwnerId": "112233445566",
"PropagatingVgws": null,
"RouteTableId": "rtb-11223344",
"Routes":
[
{
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": null,
"DestinationPrefixListId": null,
"EgressOnlyInternetGatewayId": null,
"GatewayId": "igw-abc123",
"InstanceId": null,
"InstanceOwnerId": null,
"NatGatewayId": null,
"NetworkInterfaceId": null,
"Origin": "CreateRoute",
"State": "active",
"TransitGatewayId": null,
"VpcPeeringConnectionId": null,
},
],
"Tags": null,
"VpcId": "vpc-11223344",
},
],
"SecurityGroups":
[
{
"Description": "default VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-abc123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "1122334455",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges":
[{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-123454321",
},
],
"State": "available",
"Tags": null,
"VpcId": "vpc-1234321",
}
- Name: Flow Logs Enabled For Type ACCEPT
ExpectedResult: false
Resource:
{
"CidrBlock": "172.31.0.0/16",
"CidrBlockAssociationSet":
[
{
"AssociationId": "vpc-cidr-assoc-112233",
"CidrBlock": "172.0.0.0/16",
"CidrBlockState":
{ "State": "associated", "StatusMessage": null },
},
],
"DhcpOptionsId": "dopt-1122e3344",
"FlowLogs":
[
{
"CreationTime": "2019-07-09T17:42:04.677Z",
"DeliverLogsErrorMessage": null,
"DeliverLogsPermissionArn": null,
"DeliverLogsStatus": "SUCCESS",
"FlowLogId": "fl-09798935a87d0dbc6",
"FlowLogStatus": "ACTIVE",
"LogDestination": "arn:aws:s3:::panther-test-vpc-flow-logs",
"LogDestinationType": "s3",
"LogGroupName": null,
"ResourceId": "vpc-094cd5323fa3206f6",
"TrafficType": "ACCEPT",
},
],
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": null,
"IsDefault": true,
"NetworkAcls":
[
{
"Associations":
[
{
"NetworkAclAssociationId": "aclassoc-1122abc444",
"NetworkAclId": "acl-123abc",
"SubnetId": "subnet-123abc",
},
{
"NetworkAclAssociationId": "aclassoc-123abc",
"NetworkAclId": "acl-1122abc",
"SubnetId": "subnet-112233aabb",
},
],
"Entries":
[
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"IcmpTypeCode": null,
"Ipv6CidrBlock": null,
"PortRange": null,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 12345,
},
],
"IsDefault": true,
"NetworkAclId": "acl-123aabb",
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-1234321",
},
],
"OwnerId": "112233445566",
"RouteTables":
[
{
"Associations":
[
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-1122aa33",
"RouteTableId": "rtb-1122abc33",
"SubnetId": null,
},
],
"OwnerId": "112233445566",
"PropagatingVgws": null,
"RouteTableId": "rtb-11223344",
"Routes":
[
{
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": null,
"DestinationPrefixListId": null,
"EgressOnlyInternetGatewayId": null,
"GatewayId": "igw-abc123",
"InstanceId": null,
"InstanceOwnerId": null,
"NatGatewayId": null,
"NetworkInterfaceId": null,
"Origin": "CreateRoute",
"State": "active",
"TransitGatewayId": null,
"VpcPeeringConnectionId": null,
},
],
"Tags": null,
"VpcId": "vpc-11223344",
},
],
"SecurityGroups":
[
{
"Description": "default VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-abc123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "1122334455",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges":
[{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-123454321",
},
],
"State": "available",
"Tags": null,
"VpcId": "vpc-1234321",
}
- Name: Flow Logs Enabled For Type ALL
ExpectedResult: true
Resource:
{
"CidrBlock": "172.31.0.0/16",
"CidrBlockAssociationSet":
[
{
"AssociationId": "vpc-cidr-assoc-112233",
"CidrBlock": "172.0.0.0/16",
"CidrBlockState":
{ "State": "associated", "StatusMessage": null },
},
],
"DhcpOptionsId": "dopt-1122e3344",
"FlowLogs":
[
{
"CreationTime": "2019-07-09T17:42:04.677Z",
"DeliverLogsErrorMessage": null,
"DeliverLogsPermissionArn": null,
"DeliverLogsStatus": "SUCCESS",
"FlowLogId": "fl-09798935a87d0dbc6",
"FlowLogStatus": "ACTIVE",
"LogDestination": "arn:aws:s3:::panther-test-vpc-flow-logs",
"LogDestinationType": "s3",
"LogGroupName": null,
"ResourceId": "vpc-094cd5323fa3206f6",
"TrafficType": "ALL",
},
],
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": null,
"IsDefault": true,
"NetworkAcls":
[
{
"Associations":
[
{
"NetworkAclAssociationId": "aclassoc-1122abc444",
"NetworkAclId": "acl-123abc",
"SubnetId": "subnet-123abc",
},
{
"NetworkAclAssociationId": "aclassoc-123abc",
"NetworkAclId": "acl-1122abc",
"SubnetId": "subnet-112233aabb",
},
],
"Entries":
[
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"IcmpTypeCode": null,
"Ipv6CidrBlock": null,
"PortRange": null,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 12345,
},
],
"IsDefault": true,
"NetworkAclId": "acl-123aabb",
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-1234321",
},
],
"OwnerId": "112233445566",
"RouteTables":
[
{
"Associations":
[
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-1122aa33",
"RouteTableId": "rtb-1122abc33",
"SubnetId": null,
},
],
"OwnerId": "112233445566",
"PropagatingVgws": null,
"RouteTableId": "rtb-11223344",
"Routes":
[
{
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": null,
"DestinationPrefixListId": null,
"EgressOnlyInternetGatewayId": null,
"GatewayId": "igw-abc123",
"InstanceId": null,
"InstanceOwnerId": null,
"NatGatewayId": null,
"NetworkInterfaceId": null,
"Origin": "CreateRoute",
"State": "active",
"TransitGatewayId": null,
"VpcPeeringConnectionId": null,
},
],
"Tags": null,
"VpcId": "vpc-11223344",
},
],
"SecurityGroups":
[
{
"Description": "default VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-abc123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "1122334455",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges":
[{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-123454321",
},
],
"State": "available",
"Tags": null,
"VpcId": "vpc-1234321",
}
- Name: Flow Logs Enabled For Type REJECT
ExpectedResult: true
Resource:
{
"CidrBlock": "172.31.0.0/16",
"CidrBlockAssociationSet":
[
{
"AssociationId": "vpc-cidr-assoc-112233",
"CidrBlock": "172.0.0.0/16",
"CidrBlockState":
{ "State": "associated", "StatusMessage": null },
},
],
"DhcpOptionsId": "dopt-1122e3344",
"FlowLogs":
[
{
"CreationTime": "2019-07-09T17:42:04.677Z",
"DeliverLogsErrorMessage": null,
"DeliverLogsPermissionArn": null,
"DeliverLogsStatus": "SUCCESS",
"FlowLogId": "fl-09798935a87d0dbc6",
"FlowLogStatus": "ACTIVE",
"LogDestination": "arn:aws:s3:::panther-test-vpc-flow-logs",
"LogDestinationType": "s3",
"LogGroupName": null,
"ResourceId": "vpc-094cd5323fa3206f6",
"TrafficType": "REJECT",
},
],
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": null,
"IsDefault": true,
"NetworkAcls":
[
{
"Associations":
[
{
"NetworkAclAssociationId": "aclassoc-1122abc444",
"NetworkAclId": "acl-123abc",
"SubnetId": "subnet-123abc",
},
{
"NetworkAclAssociationId": "aclassoc-123abc",
"NetworkAclId": "acl-1122abc",
"SubnetId": "subnet-112233aabb",
},
],
"Entries":
[
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"IcmpTypeCode": null,
"Ipv6CidrBlock": null,
"PortRange": null,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 12345,
},
],
"IsDefault": true,
"NetworkAclId": "acl-123aabb",
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-1234321",
},
],
"OwnerId": "112233445566",
"RouteTables":
[
{
"Associations":
[
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-1122aa33",
"RouteTableId": "rtb-1122abc33",
"SubnetId": null,
},
],
"OwnerId": "112233445566",
"PropagatingVgws": null,
"RouteTableId": "rtb-11223344",
"Routes":
[
{
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": null,
"DestinationPrefixListId": null,
"EgressOnlyInternetGatewayId": null,
"GatewayId": "igw-abc123",
"InstanceId": null,
"InstanceOwnerId": null,
"NatGatewayId": null,
"NetworkInterfaceId": null,
"Origin": "CreateRoute",
"State": "active",
"TransitGatewayId": null,
"VpcPeeringConnectionId": null,
},
],
"Tags": null,
"VpcId": "vpc-11223344",
},
],
"SecurityGroups":
[
{
"Description": "default VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-abc123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "1122334455",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges":
[{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-123454321",
},
],
"State": "available",
"Tags": null,
"VpcId": "vpc-1234321",
}
- Name: Flow Logs Enabled For Types ACCEPT, ALL
ExpectedResult: true
Resource:
{
"CidrBlock": "172.31.0.0/16",
"CidrBlockAssociationSet":
[
{
"AssociationId": "vpc-cidr-assoc-112233",
"CidrBlock": "172.0.0.0/16",
"CidrBlockState":
{ "State": "associated", "StatusMessage": null },
},
],
"DhcpOptionsId": "dopt-1122e3344",
"FlowLogs":
[
{
"CreationTime": "2019-07-09T17:42:04.677Z",
"DeliverLogsErrorMessage": null,
"DeliverLogsPermissionArn": null,
"DeliverLogsStatus": "SUCCESS",
"FlowLogId": "fl-09798935a87d0dbc6",
"FlowLogStatus": "ACTIVE",
"LogDestination": "arn:aws:s3:::panther-test-vpc-flow-logs",
"LogDestinationType": "s3",
"LogGroupName": null,
"ResourceId": "vpc-094cd5323fa3206f6",
"TrafficType": "ACCEPT",
},
{
"CreationTime": "2019-07-09T17:42:04.677Z",
"DeliverLogsErrorMessage": null,
"DeliverLogsPermissionArn": null,
"DeliverLogsStatus": "SUCCESS",
"FlowLogId": "fl-09798935a87d0dbc6",
"FlowLogStatus": "ACTIVE",
"LogDestination": "arn:aws:s3:::panther-test-vpc-flow-logs",
"LogDestinationType": "s3",
"LogGroupName": null,
"ResourceId": "vpc-094cd5323fa3206f6",
"TrafficType": "ALL",
},
],
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": null,
"IsDefault": true,
"NetworkAcls":
[
{
"Associations":
[
{
"NetworkAclAssociationId": "aclassoc-1122abc444",
"NetworkAclId": "acl-123abc",
"SubnetId": "subnet-123abc",
},
{
"NetworkAclAssociationId": "aclassoc-123abc",
"NetworkAclId": "acl-1122abc",
"SubnetId": "subnet-112233aabb",
},
],
"Entries":
[
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"IcmpTypeCode": null,
"Ipv6CidrBlock": null,
"PortRange": null,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 12345,
},
],
"IsDefault": true,
"NetworkAclId": "acl-123aabb",
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-1234321",
},
],
"OwnerId": "112233445566",
"RouteTables":
[
{
"Associations":
[
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-1122aa33",
"RouteTableId": "rtb-1122abc33",
"SubnetId": null,
},
],
"OwnerId": "112233445566",
"PropagatingVgws": null,
"RouteTableId": "rtb-11223344",
"Routes":
[
{
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": null,
"DestinationPrefixListId": null,
"EgressOnlyInternetGatewayId": null,
"GatewayId": "igw-abc123",
"InstanceId": null,
"InstanceOwnerId": null,
"NatGatewayId": null,
"NetworkInterfaceId": null,
"Origin": "CreateRoute",
"State": "active",
"TransitGatewayId": null,
"VpcPeeringConnectionId": null,
},
],
"Tags": null,
"VpcId": "vpc-11223344",
},
],
"SecurityGroups":
[
{
"Description": "default VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-abc123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "1122334455",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges":
[{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-123454321",
},
],
"State": "available",
"Tags": null,
"VpcId": "vpc-1234321",
}
- Name: Flow Logs Inactive For Type ALL
ExpectedResult: false
Resource:
{
"CidrBlock": "172.31.0.0/16",
"CidrBlockAssociationSet":
[
{
"AssociationId": "vpc-cidr-assoc-112233",
"CidrBlock": "172.0.0.0/16",
"CidrBlockState":
{ "State": "associated", "StatusMessage": null },
},
],
"DhcpOptionsId": "dopt-1122e3344",
"FlowLogs":
[
{
"CreationTime": "2019-07-09T17:42:04.677Z",
"DeliverLogsErrorMessage": null,
"DeliverLogsPermissionArn": null,
"DeliverLogsStatus": "SUCCESS",
"FlowLogId": "fl-09798935a87d0dbc6",
"FlowLogStatus": "INACTIVE",
"LogDestination": "arn:aws:s3:::panther-test-vpc-flow-logs",
"LogDestinationType": "s3",
"LogGroupName": null,
"ResourceId": "vpc-094cd5323fa3206f6",
"TrafficType": "ACCEPT",
},
],
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": null,
"IsDefault": true,
"NetworkAcls":
[
{
"Associations":
[
{
"NetworkAclAssociationId": "aclassoc-1122abc444",
"NetworkAclId": "acl-123abc",
"SubnetId": "subnet-123abc",
},
{
"NetworkAclAssociationId": "aclassoc-123abc",
"NetworkAclId": "acl-1122abc",
"SubnetId": "subnet-112233aabb",
},
],
"Entries":
[
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"IcmpTypeCode": null,
"Ipv6CidrBlock": null,
"PortRange": null,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 12345,
},
],
"IsDefault": true,
"NetworkAclId": "acl-123aabb",
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-1234321",
},
],
"OwnerId": "112233445566",
"RouteTables":
[
{
"Associations":
[
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-1122aa33",
"RouteTableId": "rtb-1122abc33",
"SubnetId": null,
},
],
"OwnerId": "112233445566",
"PropagatingVgws": null,
"RouteTableId": "rtb-11223344",
"Routes":
[
{
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": null,
"DestinationPrefixListId": null,
"EgressOnlyInternetGatewayId": null,
"GatewayId": "igw-abc123",
"InstanceId": null,
"InstanceOwnerId": null,
"NatGatewayId": null,
"NetworkInterfaceId": null,
"Origin": "CreateRoute",
"State": "active",
"TransitGatewayId": null,
"VpcPeeringConnectionId": null,
},
],
"Tags": null,
"VpcId": "vpc-11223344",
},
],
"SecurityGroups":
[
{
"Description": "default VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-abc123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "1122334455",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges":
[{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "112233445566",
"Tags": null,
"VpcId": "vpc-123454321",
},
],
"State": "available",
"Tags": null,
"VpcId": "vpc-1234321",
}
Detection logic
Condition
not (FlowLogs is_not_null and FlowLogs array_any)
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
FlowLogs | array_any | |
FlowLogs | is_not_null |