Back to All Checks
Low EC2 Regional

AWS Client VPN endpoints should have connection logging enabled

NIST 800-53PCI DSS v4.2.1PCI DSS v10.2.1ISO 27001HIPAA

Description

This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled. Client VPN endpoints allow remote clients to securely connect to resources in a Virtual Private Cloud (VPC) in AWS. Connection logs allow you to track user activity on the VPN endpoint and provides visibility. When you enable connection logging, you can specify the name of a log stream in the log group. If you don't specify a log stream, the Client VPN service creates one for you.

Remediation

Enable connection logging for your AWS Client VPN endpoint to track user activity and provide visibility into VPN connections.

Steps

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose 'Client VPN Endpoints'.
  3. Select the Client VPN endpoint you want to modify.
  4. Choose 'Actions' and then 'Modify client VPN endpoint'.
  5. In the 'Connection logging' section, select 'Enable connection logging'.
  6. Choose a CloudWatch Logs log group for the connection logs.
  7. Choose 'Modify client VPN endpoint'.

Compliance

NIST 800-53PCI DSS v4.2.1PCI DSS v10.2.1ISO 27001HIPAA
Start Your Free Security Check