Use cases
Resources
TCP flags are control bits in the TCP header that indicate the state and direction of TCP connections. In VPC Flow Logs, these flags are bit masks, meaning they can be combined to create unique numbers. These combinations happen when multiple requests occur within the "aggregation interval" of the flow logs.
TCP flags in AWS VPC Flow Logs provide valuable information about the state and direction of TCP connections. These flags are binary indicators represented as a decimal value in flow logs.
TCP flags are control bits in the TCP header that indicate specific conditions during data transmission.
In VPC Flow Logs, these flags are bit masks, meaning they can be combined to create unique numbers. These combinations happen when multiple requests occur within the "aggregation interval" of the flow logs.
The decimal value is the sum of all active TCP flags in the connection, with each flag representing a specific binary position.
Below some examples:
Decimal Value: 1
Decimal Value: 2
Decimal Value: 4
Decimal Value: 18
The following table presents the most commonly observed TCP flag combinations in VPC Flow Logs.
While there are other possible flag combinations, these patterns represent the typical connection lifecycle events you'll encounter when analyzing your network traffic.
By analyzing TCP flags in VPC Flow Logs, you gain deep visibility into network behaviors—established connections, resets, and potential reconnaissance.
CloudFence ingests these logs into an AI-driven analytics engine that dynamically baselines every workload and surfaces anomalies within minutes, empowering your security team to spot suspicious deviations instantly. Its centralized Security Group dashboard then flags stale or over-permissive “all ports” rules and delivers precise, port-level recommendations to enforce strict least-privilege across your cloud environment.
Looking to dive deeper? Check out these handpicked articles related to cloud visibility, threat detection, and workload protection.
