--- title: VPC Flow Logs disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > VPC Flow Logs disabled --- # VPC Flow Logs disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `f83121ea-03da-434f-9277-9cd247ab3047` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) ### Description{% #description %} Enabling VPC Flow Logs ensures that all network traffic within a Virtual Private Cloud (VPC) is captured and monitored for security and compliance purposes. Without the `vpc_id` attribute set for each `aws_flow_log` resource, as shown below, critical visibility into network traffic can be lost, making it difficult to detect suspicious activity or troubleshoot networking issues. To ensure accountability and monitoring, every VPC resource should have an associated flow log defined as follows: ``` resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } resource "aws_flow_log" "main" { iam_role_arn = aws_iam_role.example.arn log_destination = aws_cloudwatch_log_group.example.arn traffic_type = "ALL" vpc_id = aws_vpc.main.id } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" name = "my-vpc" cidr = "10.0.0.0/16" azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true enable_vpn_gateway = true enable_flow_log = true tags = { Terraform = "true" Environment = "dev" } } ``` ```terraform resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } resource "aws_flow_log" "example" { iam_role_arn = aws_iam_role.example.arn log_destination = aws_cloudwatch_log_group.example.arn traffic_type = "ALL" vpc_id = aws_vpc.example.id } resource "aws_flow_log" "example2" { iam_role_arn = aws_iam_role.example.arn log_destination = aws_cloudwatch_log_group.example.arn traffic_type = "ALL" vpc_id = aws_vpc.main.id } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } resource "aws_flow_log" "example" { iam_role_arn = aws_iam_role.example.arn log_destination = aws_cloudwatch_log_group.example.arn traffic_type = "ALL" vpc_id = aws_vpc.example.id } resource "aws_flow_log" "example2" { iam_role_arn = aws_iam_role.example.arn log_destination = aws_cloudwatch_log_group.example.arn traffic_type = "ALL" vpc_id = aws_vpc.example2.id } ``` ```terraform module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" name = "my-vpc" cidr = "10.0.0.0/16" azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true enable_vpn_gateway = true enable_flow_log = false tags = { Terraform = "true" Environment = "dev" } } ``` ```terraform module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" name = "my-vpc" cidr = "10.0.0.0/16" azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true enable_vpn_gateway = true tags = { Terraform = "true" Environment = "dev" } } ```