Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Invisible Network

Max room.

VPC Flow Logs were not enabled. The network was invisible.

medium

45 min

3

User profile photo.
User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Your has flagged an alert: an instance appears to be communicating with an unknown external IP. You need to answer basic questions:

  • Where is the traffic going?
  • How much data was transferred?
  • When did it start, and what ports are being used?

You open and search for logs. There are none. No network telemetry exists for this . Every connection that has ever been made, legitimate or malicious, left zero trace at the network layer.

This is not an edge case. Many teams deploy workloads into VPCs without enabling , either because they forget, assume another tool covers it, or want to avoid the cost. The result is a critical visibility gap that makes investigation impossible and detection a guessing game. This is how the Marriott breach persisted for four years.

Learning Objectives

  • Understand what capture and their limitations
  • Identify when are missing from a
  • Enable with an appropriate role and log destination
  • Query Flow Log data using Logs Insights
  • Build reusable security queries for monitoring and investigation
  • Design a network visibility baseline for new deployments

Prerequisites

Answer the questions below

Let the invisible be seen.