How to Configure VPC Flow Logs in AWS: Step-by-Step Guide
To configure
VPC Flow Logs, create a flow log for your VPC, subnet, or network interface by specifying the resource, log destination (CloudWatch Logs or S3), and IAM role permissions. This captures network traffic metadata for monitoring and troubleshooting.Syntax
The basic syntax to create a VPC Flow Log involves specifying the resource ID, log destination, and IAM role. You must define:
- ResourceId: The VPC, subnet, or network interface ID to monitor.
- ResourceType: Type of resource (VPC, Subnet, NetworkInterface).
- TrafficType: Type of traffic to log (ACCEPT, REJECT, ALL).
- LogDestinationType: Where to send logs (CloudWatch Logs or S3).
- LogDestination: ARN of the CloudWatch Logs group or S3 bucket.
- DeliverLogsPermissionArn: IAM role ARN with permissions to publish logs.
bash
aws ec2 create-flow-logs \ --resource-type VPC \ --resource-id vpc-123abcde \ --traffic-type ALL \ --log-destination-type cloud-watch-logs \ --log-destination arn:aws:logs:us-east-1:123456789012:log-group:my-flow-logs \ --deliver-logs-permission-arn arn:aws:iam::123456789012:role/FlowLogsRole
Example
This example creates a VPC Flow Log for a VPC that captures all traffic and sends logs to a CloudWatch Logs group. It assumes you have an IAM role with the correct permissions.
bash
aws ec2 create-flow-logs \ --resource-type VPC \ --resource-id vpc-0a1b2c3d4e5f6g7h8 \ --traffic-type ALL \ --log-destination-type cloud-watch-logs \ --log-destination arn:aws:logs:us-west-2:111122223333:log-group:/aws/vpc/flowlogs \ --deliver-logs-permission-arn arn:aws:iam::111122223333:role/FlowLogsRole
Output
FlowLogIds:
- fl-0a1b2c3d4e5f6g7h8
ClientToken: abcdef12-3456-7890-abcd-ef1234567890
FlowLogs:
- FlowLogId: fl-0a1b2c3d4e5f6g7h8
ResourceId: vpc-0a1b2c3d4e5f6g7h8
ResourceType: VPC
TrafficType: ALL
LogGroupName: /aws/vpc/flowlogs
DeliverLogsStatus: SUCCESS
Common Pitfalls
- Missing IAM Role Permissions: The IAM role must have
logs:CreateLogGroup,logs:CreateLogStream, andlogs:PutLogEventspermissions. - Incorrect Log Destination ARN: Use the correct ARN format for CloudWatch Logs or S3 bucket.
- Traffic Type Misconfiguration: Setting
REJECTonly logs rejected traffic, missing accepted traffic. - Resource Type Mismatch: Ensure the
ResourceTypematches theResourceId(e.g., VPC ID with VPC type).
bash
### Wrong: Missing IAM role permissions aws ec2 create-flow-logs \ --resource-type VPC \ --resource-id vpc-123abcde \ --traffic-type ALL \ --log-destination-type cloud-watch-logs \ --log-destination arn:aws:logs:us-east-1:123456789012:log-group:my-flow-logs ### Right: Include deliver-logs-permission-arn aws ec2 create-flow-logs \ --resource-type VPC \ --resource-id vpc-123abcde \ --traffic-type ALL \ --log-destination-type cloud-watch-logs \ --log-destination arn:aws:logs:us-east-1:123456789012:log-group:my-flow-logs \ --deliver-logs-permission-arn arn:aws:iam::123456789012:role/FlowLogsRole
Quick Reference
Remember these key points when configuring VPC Flow Logs:
- ResourceType: VPC, Subnet, or NetworkInterface
- TrafficType: ACCEPT, REJECT, or ALL
- LogDestinationType: cloud-watch-logs or s3
- IAM Role: Must have permissions to publish logs
- LogDestination: ARN of CloudWatch Logs group or S3 bucket
Key Takeaways
Create VPC Flow Logs by specifying resource, traffic type, log destination, and IAM role.
Use CloudWatch Logs or S3 as log destinations with correct ARN formats.
Ensure the IAM role has permissions to deliver logs to the chosen destination.
Choose the right traffic type to capture the network data you need.
Match resource type with the correct resource ID to avoid errors.