EC2 Client VPN endpoint has client connection logging enabled
ec2_client_vpn_endpoint_connection_logging_enabled
AWS Client VPN endpoints are evaluated for client connection logging that records client connect/disconnect events to CloudWatch Logs. The evaluation detects endpoints where this logging is disabled.
Risk
Without Client VPN connection logs, remote access lacks an audit trail, reducing detection and accountability.
- Stolen credentials can be used unnoticed
- Lateral movement and data exfiltration persist Impacts confidentiality and integrity; delayed investigation can degrade availability.
prowler aws --checks ec2_client_vpn_endpoint_connection_logging_enabled
Recommendation
Enable client connection logging on all Client VPN endpoints and send events to a centralized log group.
- Enforce least privilege on log access
- Define retention and immutability
- Integrate with monitoring/alerts
- Separate VPN operations from log administration
- Review anomalous login patterns
Remediation
aws ec2 modify-client-vpn-endpoint --client-vpn-endpoint-id <CLIENT_VPN_ENDPOINT_ID> --connection-log-options Enabled=true,CloudWatchLogGroup=<CLOUDWATCH_LOG_GROUP_NAME>
- Open the Amazon VPC console and go to Client VPN Endpoints
- Select the endpoint and choose Actions > Modify client VPN endpoint
- Under Connection logging, check Enable
- For CloudWatch log group, select an existing log group
- Click Save changes
Source Code
Resource Type
AwsEc2ClientVpnEndpoint