July 17, 2026
AWS Networking for IR — VPCs, Flow Logs, and the Load Balancer Blind Spot
Network forensics in AWS is not like network forensics on-premise. There’s no physical switch to mirror traffic from. But AWS gives you…

By Dean
4 min read
Network forensics in AWS is not like network forensics on-premise. There's no physical switch to mirror traffic from. But AWS gives you powerful tools — VPC flow logs, load balancer logs, DNS resolver logs — that tell you a huge amount about what was happening on the network.
VPC — Virtual Private Cloud
A VPC is a logical network boundary inside AWS — like a network switch. Everything inside can communicate at Layer 3, nothing gets in or out without explicit routing and firewall rules. Inside a VPC: Subnets (public or private), EC2 instances, Network Security Groups, Internet Gateways, Load Balancers, WAFs.
- Public subnet = has default route to internet gateway.
- Private subnet = no route to internet.
Key investigative question: was the compromised system in a public subnet, or did the attacker pivot into a private subnet? That pivot is your lateral movement evidence in VPC flow logs.
💡 IR Tip: Check whether the compromised EC2 instance has a public IP attached. If so, check security group rules — what ports are open to 0.0.0.0/0 (the world)? This tells you the initial attack surface.
CIDR block and whether each VPC has flow logs enabled (Very Important for monitoring)
Load Balancers — The Investigation Blind Spot
▸ ALB terminates connection, creates new one → source IP is ALB, not attacker | Enable X-Forwarded-For header
- NLB (Network Load Balancer) — Layer 4, preserves original source IP
- Classic Load Balancer — Layer 4+7, proxies connection, masks source IP
- ALB (Application Load Balancer) — Layer 7 HTTP/HTTPS, also proxies, masks source IP
If your compromised system sits behind an ALB or Classic LB, EC2 and VPC flow logs only show the load balancer's private IP — not the attacker's real IP. You MUST check load balancer access logs (not enabled by default) for the real source IP.
💡 IR Tip: Always check if an ALB or Classic LB is in the path. If yes, load balancer access logs are mandatory evidence — they're the only place that records the original external IP address.
For IR or any security Team, Make sure these are enabled
Reading VPC Flow Log Fields
▸ version srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
Example entry (modified): srcaddr=178.62.90.41 (attacker), dstaddr=10.0.1.45 (internal EC2), dstport=443, protocol=6 (TCP), bytes=7820, action=ACCEPT. Key fields: srcaddr (who connected), dstaddr (what they hit), dstport (service), bytes (data volume), action (ACCEPT=allowed, REJECT=blocked).
💡 IR Tip: Flow logs record sessions every 10 minutes by default. For bulk data transfers, sum bytes across all entries for that source-destination pair. The protocol + source + destination combination is your grouping key.
Flow logs can be delivered to S3 ($0.023/GB) or CloudWatch Logs ($0.05/GB). Enable them at VPC level for broadest coverage. You can turn them on mid-incident with no downtime — AWS collects them out-of-band at the hypervisor level.
You can create flow logs here, Sorry I don´t have one to show
Route 53 — DNS Logging in AWS
Route 53 offers two logging capabilities:
(1) DNS Zone Query Logging — logs all DNS queries against your hosted zones.
(2) Route 53 Resolver Query Logging — logs every outbound DNS query from any instance within a VPC. The second is the most powerful for IR.
Resolver query logs are invaluable for: identifying C2 domain communications from compromised instances, tracking DNS-based exfiltration, and reconstructing what domains an implant communicated with. Even if the EC2 instance has been terminated, DNS logs persist.
💡 IR Tip: If the compromised EC2 was already terminated and there are no endpoint logs, Route 53 resolver query logs may be one of your only remaining evidence sources. Always check if they were enabled.
⚡ Update (2024): Route 53 resolver query logs now include the query response (IP addresses returned) and query type. You can now see not just what domains were queried but what IPs they resolved to — useful for correlating DNS events with VPC flow logs.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What's Next
Article 6 covers S3 buckets — the central storage layer for almost everything in AWS, frequent target of attack, and cornerstone of your log collection strategy.
— — — — — — — — — — — — — — — — — — — — — Dean — — — — — — — — — — — — — —