Skip to content
Ask AI about this
Help improve this page

EC2 Client VPN endpoints should have client connection logging enabled

Client VPN connection logs record who connected, when, from where, and how long sessions lasted. Without them, you have no visibility into unauthorized access attempts, compromised credentials used from unexpected locations, or sessions that stay open far longer than expected.

Connection logging also drives incident response. When a credential leak occurs, you need to know which VPN sessions used the affected certificate or identity provider token. That question is unanswerable without logs.

Retrofit consideration

Enabling connection logging on an existing Client VPN endpoint does not disrupt active sessions. Before applying, confirm the target CloudWatch Logs log group exists and that the VPN service principal has permission to write to it.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_ec2_client_vpn_endpoint.

resource "aws_ec2_client_vpn_endpoint" "this" {
  authentication_options {
    root_certificate_chain_arn = "arn:aws:acm:us-east-1:123456789012:certificate/root"
    type                       = "certificate-authentication"
  }
  client_cidr_block      = "10.0.0.0/16"
  server_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/example"

  connection_log_options {
    enabled = true
  }
}

What this control checks

In the aws_ec2_client_vpn_endpoint resource, the connection_log_options block must have enabled = true. When enabled, cloudwatch_log_group must point to a valid aws_cloudwatch_log_group resource name. Optionally, cloudwatch_log_stream narrows output to a specific stream. It fails if enabled is false or if the connection_log_options block is absent. Declare the log group as a separate aws_cloudwatch_log_group resource with a retention_in_days value and create it before the VPN endpoint.

Common pitfalls

  • Missing CloudWatch log group causes apply-time failure

    If cloudwatch_log_group references a log group name that doesn't exist, the AWS API returns an error at apply time. Always create the aws_cloudwatch_log_group resource first and reference its name attribute. If you're using a string literal instead, add depends_on to enforce ordering.

  • Log group without retention accumulates costs indefinitely

    A CloudWatch Logs log group created without retention_in_days defaults to "Never Expire." VPN connection logs grow continuously. Set an explicit retention period on the aws_cloudwatch_log_group resource to keep storage costs predictable.

  • Inline connection_log_options block omitted on import

    When you terraform import an existing endpoint and hand-write the config, the connection_log_options block is easy to miss. Running terraform plan will then show a diff that silently disables logging if enabled defaults to false. Always verify the block is present after import.

  • KMS-encrypted log group requires additional permissions

    If the target log group uses a customer-managed KMS key, the Client VPN service principal needs kms:GenerateDataKey and kms:Decrypt in the key policy. Without them, log delivery silently fails even though the endpoint configuration looks correct.

Audit evidence

Auditors expect the Config rule evaluation to show all AWS::EC2::ClientVpnEndpoint resources as COMPLIANT. Supporting evidence includes the Client VPN endpoint details page in the Console showing "Client Connect Logging" as enabled with a named log group. CloudWatch Logs should contain actual connection event records, confirming the pipeline is functional, not just configured.

For deeper assurance, CloudTrail events for CreateClientVpnEndpoint or ModifyClientVpnEndpoint should show ConnectionLogOptions.Enabled set to true. Retention policies on the target log group should match the organization's log retention requirements.

Framework-specific interpretation

PCI DSS v4.0: Requirements 10.2.1 and 10.2.2 specifically call for logging individual user access and all authentication events on systems in or connected to the cardholder data environment. Client VPN connection logs record exactly that: who connected, from which IP, when, and whether authentication succeeded. For remote access paths into CDE-adjacent infrastructure, this is what Requirement 10 examiners ask to see.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: ec2_client_vpn_endpoint_client_connection_logging_enabled

  • AWS Config Managed Rule: EC2_CLIENT_VPN_CONNECTION_LOG_ENABLED

  • Powerpipe Control: aws_compliance.control.ec2_client_vpn_endpoint_client_connection_logging_enabled

  • Prowler Check: ec2_client_vpn_endpoint_connection_logging_enabled

  • AWS Security Hub Control: EC2.51

Last reviewed: 2026-03-09