Review required and recommended configuration settings for using Cloud Detections for AWS VPC Flow Logs.
Before enabling Cloud Detections for AWS VPC Flow Logs and deploying the stack template,
review the following recommendations and requirements for the feature:
-
Cloud Detections for AWS VPC Flow Logs supports complete detection capabilities for VPC Flow Logs version 5 or later. For the most comprehensive threat detection coverage, use a custom format and add the following fields to your flow log records:
interface-idsrcaddrdstaddrsrcportdstportactioninstance-idtcp-flagspkt-dstaddrpkt-srcaddrflow-directionFor more information on creating custom flow log fields, see https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html. For more information on creating a custom flow log, see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3-create-flow-log.html. -
You must use a destination S3 bucket in the same region as the VPC flow log source.For example, if the VPC flow log source is in
us-east-2, the S3 bucket must also be located inus-east-2. -
This feature only supports server-side encryption with Amazon S3 managed keys (SSE-S3). This feature does not support any other encryption method.
-
Trend Micro recommends using a 10-minute aggregation interval to help reduce lambda invocations and lower the cost impact of the feature.
-
Trend Micro recommends using text format for your VPC flow logs to reduce lambda execution time and lower to cost impact of the feature.