Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) lets users provision a logically isolated section of the AWS Cloud where they can launch AWS resources in a virtual network that they define. Users have complete control over their virtual networking environment, including selection of their own IP address range, creation of subnets, and configuration of route tables and network gateways. Users can use both IPv4 and IPv6 in their VPC for secure and easy access to resources and applications.

Amazon configuration

  1. Select an existing S3 Bucket or create a new one.

  2. Go to Services > Compute > EC2:

  3. Go to Network & Security > Network Interfaces on the left menu. Select a network interface and select Create a flow log on the Actions menu:

  4. Change all fields to look like the following screenshot and paste the ARN of the previously created bucket:

Wazuh configuration

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following block:

    <wodle name="aws-s3">
      <bucket type="vpcflow">


    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart Wazuh in order to apply the changes:

    • If you're configuring a Wazuh manager:

      1. For Systemd:

      # systemctl restart wazuh-manager
      1. For SysV Init:

      # service wazuh-manager restart
    • If you're configuring a Wazuh agent:

      1. For Systemd:

      # systemctl restart wazuh-agent
      1. For SysV Init:

      # service wazuh-agent restart

Use cases

Using an Amazon VPC (Virtual Private Cloud), users can logically isolate some of their AWS assets from the rest of their cloud infrastructure. Users can actually set up their own networks in the cloud. This is why, it is usually important to monitor changes to their VPCs.

Create a VPC

If a VPC is created, the following alert will be shown on Kibana:

If an user without proper permissions attempts to create a VPC, the following alert will be shown on Kibana:

Working with VPC Data

A VPC alert contains data such as dest and source IP address, dst and source port and how many bytes were sent:

These alerts can be easily analyzed using visualizations like the following one:

On that visualization users can look for peaks in their network, once they found a peak they can filter, the alerts generated on that time and check which IPs were communicating. Since IP address is a field used in many AWS alerts, they'll probably found other alerts and find out what happened.


If while configuring the permissions policy we're asked for special permissions, we need to add the next block into the policy file:

Navigate to Services > VPC > Policies > Policy file.

  "Sid": "VisualEditor0",
  "Effect": "Allow",
  "Action": "ec2:DescribeFlowLogs",
  "Resource": "*"