EC2 Client VPN endpoints should have client connection logging enabled.
ec2_client_vpn_endpoint_connection_logging_enabled
This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled.
Risk
Client VPN endpoints allow remote clients to securely connect to resources in a Virtual Private Cloud (VPC) in AWS. Connection logs allow you to track user activity on the VPN endpoint and provides visibility.
Run this check with Prowler CLI
prowler aws --checks ec2_client_vpn_endpoint_connection_logging_enabled
ARN template
arn:partition:service:region:account-id:resource-id
Remediation
https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-51
To enable connection logging, see Enable connection logging for an existing Client VPN endpoint in the AWS Client VPN Administrator Guide.
Source Code
Resource Type
AwsEc2ClientVpnEndpoint