Blog
Understanding TCP Flags in AWS VPC Flow Logs

Understanding TCP Flags in AWS VPC Flow Logs

TCP flags are control bits in the TCP header that indicate the state and direction of TCP connections. In VPC Flow Logs, these flags are bit masks, meaning they can be combined to create unique numbers. These combinations happen when multiple requests occur within the "aggregation interval" of the flow logs.

Mounira Remini - Founder & CEO
2min
-
June 30, 2025

Watch a Demo

Discover how our AI-driven, agentless security engine delivers unmatched visibility, detects behavior anomalies, and disarms threats before they escalate. In just 30 minutes, see how CloudFence helps you take full control of your cloud security.

Click ‘Play’ To See A Demo

Understanding TCP Flags in AWS VPC Flow Logs

TCP flags in AWS VPC Flow Logs provide valuable information about the state and direction of TCP connections. These flags are binary indicators represented as a decimal value in flow logs.

What are TCP Flags?

TCP flags are control bits in the TCP header that indicate specific conditions during data transmission. 

In VPC Flow Logs, these flags are bit masks, meaning they can be combined to create unique numbers. These combinations happen when multiple requests occur within the "aggregation interval" of the flow logs.

The decimal value is the sum of all active TCP flags in the connection, with each flag representing a specific binary position.

Below some examples:

  • FIN — 1
  • SYN — 2
  • RST — 4
  • SYN-ACK — 18

FIN

Decimal Value: 1

VPC Flow Logs - TCP FIN flag

SYN

Decimal Value: 2

VPC Flow Logs - TCP SYN flag

RST

Decimal Value: 4

VPC Flow Logs - TCP RST flag

SYN-ACK

Decimal Value: 18

VPC Flow logs - TCP SYN-ACK flag

Common TCP Flag Combinations

The following table presents the most commonly observed TCP flag combinations in VPC Flow Logs.

While there are other possible flag combinations, these patterns represent the typical connection lifecycle events you'll encounter when analyzing your network traffic.

VPC Flow Logs TCP Flags Table

Conclusion

By analyzing TCP flags in VPC Flow Logs, you gain deep visibility into network behaviors—established connections, resets, and potential reconnaissance.

CloudFence ingests these logs into an AI-driven analytics engine that dynamically baselines every workload and surfaces anomalies within minutes, empowering your security team to spot suspicious deviations instantly. Its centralized Security Group dashboard then flags stale or over-permissive “all ports” rules and delivers precise, port-level recommendations to enforce strict least-privilege across your cloud environment.

Watch a Demo

Discover how CloudFence's AI-driven engine establishes behavioral baselines, delivers real-time visibility, and detects threats before they escalate—helping your team shift from reactive firefighting to strategic cloud security management.

Stop Being in the Dark!

Thank you! Your submission has been received!
Watch a demo
Oops! Something went wrong while submitting the form.

Watch a Demo

Discover how CloudFence's AI-driven engine establishes behavioral baselines, delivers real-time visibility, and detects threats before they escalate—helping your team shift from reactive firefighting to strategic cloud security management.

Watch a demo
Share this post
Blog
Mounira Remini - Founder & CEO
2min
-
June 30, 2025
Related Posts

Keep Exploring Cloud Security Insights

Looking to dive deeper? Check out these handpicked articles related to cloud visibility, threat detection, and workload protection.

Blog
3min
-
July 15, 2025

AWS Security Groups: From Liability to Defense

Enforce least privilege in AWS Security Groups through visibility, lockdown, and automation to......
Read More >
Blog
5min
-
July 7, 2025

How to Tighten AWS Security Group Rules Using VPC Flow Logs

Unlike traditional firewalls, security group rules do not come with a 'last used' timestamps or ....
Read More >
View all