Amazon Virtual Private Cloud
User Guide

Publishing Flow Logs to CloudWatch Logs

Flow logs can publish flow log data directly to Amazon CloudWatch.

When publishing to CloudWatch Logs, flow log data is published to a log group, and each network interface has a unique log stream in the log group. Log streams contain flow log records. You can create multiple flow logs that publish data to the same log group. If the same network interface is present in one or more flow logs in the same log group, it has one combined log stream. If you've specified that one flow log should capture rejected traffic, and the other flow log should capture accepted traffic, then the combined log stream captures all traffic. For more information, see Flow Log Records.

IAM Roles for Publishing Flow Logs to CloudWatch Logs

The IAM role that's associated with your flow log must have sufficient permissions to publish flow logs to the specified log group in CloudWatch Logs. The IAM policy that's attached to your IAM role must include at least the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ] }

Also ensure that your role has a trust relationship that allows the flow logs service to assume the role:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Users must also have permissions to use the iam:PassRole action for the IAM role that's associated with the flow log:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:PassRole"], "Resource": "arn:aws:iam::account-id:role/flow-log-role-name" } ] }

You can update an existing role or use the following procedure to create a new role for use with flow logs.

Creating a Flow Logs Role

To create an IAM role for flow logs

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, Create role.

  3. Choose EC2 as the service to use this role. For Use case, choose EC2. Choose Next: Permissions.

  4. On the Attach permissions policies page, choose Next: Review.

  5. Enter a name for your role (for example, Flow-Logs-Role) and optionally provide a description. Choose Create role.

  6. Select the name of your role. For Permissions, choose Add inline policy, JSON.

  7. Copy the first policy from IAM Roles for Publishing Flow Logs to CloudWatch Logs and paste it in the window. Choose Review policy.

  8. Enter a name for your policy, and choose Create policy.

  9. Select the name of your role. For Trust relationships, choose Edit trust relationship. In the existing policy document, change the service from ec2.amazonaws.com to vpc-flow-logs.amazonaws.com. Choose Update Trust Policy.

  10. On the Summary page, note the ARN for your role. You need this ARN when you create your flow log.

Processing Flow Log Records

You can work with flow log records as you would with any other log events collected by CloudWatch Logs. For more information about monitoring log data and metric filters, see Searching and Filtering Log Data in the Amazon CloudWatch User Guide.

Example: Creating a CloudWatch Metric Filter and Alarm for a Flow Log

In this example, you have a flow log for eni-1a2b3c4d. You want to create an alarm that alerts you if there have been 10 or more rejected attempts to connect to your instance over TCP port 22 (SSH) within a 1-hour time period. First, you must create a metric filter that matches the pattern of the traffic for which to create the alarm. Then, you can create an alarm for the metric filter.

To create a metric filter for rejected SSH traffic and create an alarm for the filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs, select the flow log group for your flow log, and then choose Create Metric Filter.

  3. For Filter Pattern, enter the following:

    [version, account, eni, source, destination, srcport, destport="22", protocol="6", packets, bytes, windowstart, windowend, action="REJECT", flowlogstatus]
  4. For Select Log Data to Test, select the log stream for your network interface. (Optional) To view the lines of log data that match the filter pattern, choose Test Pattern. When you're ready, choose Assign Metric.

  5. Provide a metric namespace and name, and ensure that the metric value is set to 1. When you're done, choose Create Filter.

  6. In the navigation pane, choose Alarms, Create Alarm.

  7. In the Custom Metrics section, choose the namespace for the metric filter that you created.

    Note

    It can take a few minutes for a new metric to display in the console.

  8. Select the metric name that you created, and choose Next.

  9. Enter a name and description for the alarm. For the is fields, choose >= and enter 10. For the for field, leave the default 1 for the consecutive periods.

  10. For Period, choose 1 Hour. For Statistic, choose Sum. The Sum statistic ensures that you are capturing the total number of data points for the specified time period.

  11. In the Actions section, you can choose to send a notification to an existing list. Or, you can create a new list and enter the email addresses that should receive a notification when the alarm is triggered. When you are done, choose Create Alarm.