EC2 Client VPN endpoints should have client connection logging enabled¶
This rule ensures that EC2 client VPN endpoints have client connection logging enabled. The rule is non-compliant if client connection logging is not enabled.
How to fix¶
Attribute connection_log_options[0].enabled of aws_ec2_client_vpn_endpoint must be true.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_ec2_client_vpn_endpoint.
resource "aws_ec2_client_vpn_endpoint" "this" {
authentication_options {
root_certificate_chain_arn = "arn:aws:acm:us-east-1:123456789012:certificate/root"
type = "certificate-authentication"
}
client_cidr_block = "10.0.0.0/16"
server_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/example"
connection_log_options {
enabled = true
}
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
ec2_client_vpn_endpoint_client_connection_logging_enabledAWS Config Managed Rule:
EC2_CLIENT_VPN_CONNECTION_LOG_ENABLEDPowerpipe Control:
aws_compliance.control.ec2_client_vpn_endpoint_client_connection_logging_enabled