Amazon Virtual Private Cloud
User Guide

Working With Flow Logs

You can work with flow logs using the Amazon EC2, Amazon VPC, CloudWatch, and Amazon S3 consoles.

Controlling the Use of Flow Logs

By default, IAM users do not have permission to work with flow logs. You can create an IAM user policy that grants users the permissions to create, describe, and delete flow logs. For more information, see Granting IAM Users Required Permissions for Amazon EC2 Resources in the Amazon EC2 API Reference.

The following is an example policy that grants users full permissions to create, describe, and delete flow logs.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteFlowLogs", "ec2:CreateFlowLogs", "ec2:DescribeFlowLogs" ], "Resource": "*" } ] }

Some additional IAM role and permission configuration is required, depending on whether you're publishing to CloudWatch Logs or Amazon S3. For more information, see Publishing Flow Logs to CloudWatch Logs and Publishing Flow Logs to Amazon S3.

Creating a Flow Log

You can create flow logs for your VPCs, subnets, or network interfaces. Flow logs can publish data to CloudWatch Logs or Amazon S3.

For more information, see Creating a Flow Log that Publishes to CloudWatch Logs and Creating a Flow Log that Publishes to Amazon S3.

Viewing Flow Logs

You can view information about your flow logs in the Amazon EC2 and Amazon VPC consoles by viewing the Flow Logs tab for a specific resource. When you select the resource, all the flow logs for that resource are listed. The information displayed includes the ID of the flow log, the flow log configuration, and information about the status of the flow log.

To view information about flow logs for your network interfaces

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select a network interface, and choose Flow Logs. Information about the flow logs is displayed on the tab. The Destination type column indicates the destination to which the flow logs are published.

To view information about flow logs for your VPCs or subnets

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs or Subnets.

  3. Select your VPC or subnet, and choose Flow Logs. Information about the flow logs is displayed on the tab. The Destination type column indicates the destination to which the flow logs are published.

Viewing Flow Log Records

You can view your flow log records using the CloudWatch Logs console or Amazon S3 console, depending on the chosen destination type. It may take a few minutes after you've created your flow log for it to be visible in the console.

To view flow log records published to CloudWatch Logs

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs, and select the log group that contains your flow log. A list of log streams for each network interface is displayed.

  3. Select the log stream that contains the ID of the network interface for which to view the flow log records. For more information, see Flow Log Records.

To view flow log records published to Amazon S3

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. For Bucket name, select the bucket to which the flow logs are published.

  3. For Name, select the check box next to the log file. On the object overview panel, choose Download.

Deleting a Flow Log

You can delete a flow log using the Amazon EC2 and Amazon VPC consoles.

Note

These procedures disable the flow log service for a resource. Deleting a flow log does not delete the existing log streams from CloudWatch Logs and log files from Amazon S3. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to Amazon S3 does not remove the bucket policies and log file access control lists (ACLs).

To delete a flow log for a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces and select the network interface.

  3. Choose Flow Logs, and then choose the delete button (a cross) for the flow log to delete.

  4. In the confirmation dialog box, choose Yes, Delete.

To delete a flow log for a VPC or subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs or Subnets, and then select the resource.

  3. Choose Flow Logs, and then choose the delete button (a cross) for the flow log to delete.

  4. In the confirmation dialog box, choose Yes, Delete.

API and CLI Overview

You can perform the tasks described on this page using the command line or API. For more information about the command line interfaces and a list of available API actions, see Accessing Amazon VPC.

Create a flow log

Describe your flow logs

View your flow log records (log events)

Delete a flow log