Menu
Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)

CreateFlowLogs

Creates one or more flow logs to capture IP traffic for a specific network interface, subnet, or VPC. Flow logs are delivered to a specified log group in Amazon CloudWatch Logs. If you specify a VPC or subnet in the request, a log stream is created in CloudWatch Logs for each network interface in the subnet or VPC. Log streams can include information about accepted and rejected traffic to a network interface. You can view the data in your log streams using Amazon CloudWatch Logs.

In your request, you must also specify an IAM role that has permission to publish logs to CloudWatch Logs.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.

ClientToken

Unique, case-sensitive identifier you provide to ensure the idempotency of the request. For more information, see How to Ensure Idempotency.

Type: String

Required: No

DeliverLogsPermissionArn

The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group.

Type: String

Required: Yes

LogGroupName

The name of the CloudWatch log group.

Type: String

Required: Yes

ResourceId.N

One or more subnet, network interface, or VPC IDs.

Constraints: Maximum of 1000 resources

Type: array of Strings

Required: Yes

ResourceType

The type of resource on which to create the flow log.

Type: String

Valid Values: VPC | Subnet | NetworkInterface

Required: Yes

TrafficType

The type of traffic to log.

Type: String

Valid Values: ACCEPT | REJECT | ALL

Required: Yes

Response Elements

The following elements are returned by the service.

clientToken

Unique, case-sensitive identifier you provide to ensure the idempotency of the request.

Type: String

flowLogIdSet

The IDs of the flow logs.

Type: array of Strings

requestId

The ID of the request.

Type: String

unsuccessful

Information about the flow logs that could not be created successfully.

Type: array of UnsuccessfulItem objects

Errors

For information about the errors that are common to all actions, see Common Errors.

Example

Example

This example creates a flow log that captures all rejected traffic for network interface eni-aa22bb33. The flow logs are delivered to a log group in CloudWatch Logs called my-flow-logs in account 123456789101, using the IAM role publishFlowLogs.

Sample Request

Copy
https://ec2.amazonaws.com/?Action=CreateFlowLogs &ResourceType=NetworkInterface &TrafficType=REJECT &ResourceId.1=eni-aa22bb33 &DeliverLogsPermissionArn=arn:aws:iam::123456789101:role/publishFlowLogs &LogGroupName=my-flow-logs &AUTHPARAMS

Sample Response

Copy
<CreateFlowLogsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/"> <requestId>2d96dae3-504b-4fc4-bf50-266EXAMPLE</requestId> <unsuccessful/> <flowLogIdSet> <item>fl-1a2b3c4d</item> </flowLogIdSet> </CreateFlowLogsResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: