Amazon Virtual Private Cloud
User Guide

Working With Flow Logs

You can work with flow logs using the Amazon EC2, Amazon VPC, CloudWatch, and Amazon S3 consoles.

Controlling the Use of Flow Logs

By default, IAM users do not have permission to work with flow logs. You can create an IAM user policy that grants users the permissions to create, describe, and delete flow logs. For more information, see Granting IAM Users Required Permissions for Amazon EC2 Resources in the Amazon EC2 API Reference.

The following is an example policy that grants users full permissions to create, describe, and delete flow logs.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteFlowLogs", "ec2:CreateFlowLogs", "ec2:DescribeFlowLogs" ], "Resource": "*" } ] }

Some additional IAM role and permission configuration is required, depending on whether you're publishing to CloudWatch Logs or Amazon S3. For more information, see Publishing Flow Logs to CloudWatch Logs and Publishing Flow Logs to Amazon S3.

Creating a Flow Log

You can create a flow log from the VPC and Subnet pages in the Amazon VPC console, or from the Network Interfaces page in the Amazon EC2 console.

To create a flow log for a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select a network interface and choose Flow Logs, Create Flow Log.

  4. For Filter, specify the type of IP traffic data to log. Choose All to log accepted and rejected traffic, Rejected to record only rejected traffic, or Accepted to record only accepted traffic.

  5. Specify the destinations to which to publish the flow log data. Flow log data can be published to CloudWatch Logs and Amazon S3.

    1. To publish the flow log data to CloudWatch Logs, do the following:

      1. Choose Send to CloudWatch Logs.

      2. For Destination log group, enter the name of a log group in CloudWatch Logs to which the flow logs are to be published. You can use an existing log group or enter a name for a new log group. If you specify the name of a log group that does not exist, we attempt to create the log group for you.

      3. For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.

    2. To publish the flow log data to Amazon S3, do the following:

      1. Make sure that the Amazon S3 bucket to which to publish the flow log already exists. If it does not, create a new Amazon S3 bucket. For more information, see Create a Bucket.

      2. Choose Send to an Amazon S3 bucket.

      3. For S3 bucket ARN, specify the Amazon Resource Name (ARN) of the existing Amazon S3 bucket to which to publish the flow log data.

        You can also specify a subfolder in the bucket. To specify a subfolder in the bucket, use the following ARN format: bucket_ARN/subfolder_name/. For example, to specify a subfolder named my-logs in a bucket named my-bucket, use the following ARN: arn:aws:s3:::my-bucket/my-logs/.

      Note

      We automatically create a resource policy and attach it to the specified Amazon S3 bucket. For more information, see Amazon S3 Bucket Permissions for Flow Logs.

  6. Choose Create Flow Log.

To create a flow log for a VPC or a subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs or Subnets.

  3. Select your VPC or subnet and choose Flow Logs, Create Flow Log.

    Note

    To create flow logs for multiple VPCs, choose the VPCs, and choose Actions, Create Flow Log. To create flow logs for multiple subnets, choose the subnets, and choose Subnet Actions, Create Flow Log.

  4. For Filter, specify the type of IP traffic data to log. Choose All to log accepted and rejected traffic, Rejected to record only rejected traffic, or Accepted to record only accepted traffic.

  5. Specify the destinations to which to publish the flow log data. Flow log data can be published to CloudWatch Logs and Amazon S3.

    1. To publish the flow log data to CloudWatch Logs, do the following:

      1. Choose Send to CloudWatch Logs.

      2. For Destination log group, enter the name of a log group in CloudWatch Logs to which the flow logs are to be published. You can use an existing log group, or you can enter a name for a new log group. If you specify the name of a log group that does not exist, we attempt to create the log group for you.

      3. For IAM role, specify the name of the IAM role that has permissions to publish logs to CloudWatch Logs.

      Note

      The Amazon Resource Name (ARN) of the selected IAM role is indicated next to the IAM Role ARN label.

    2. To publish the flow log data to Amazon S3, do the following:

      1. Make sure that the Amazon S3 bucket to which to publish the flow log already exists. If it does not, create a new Amazon S3 bucket. For more information, see Create a Bucket.

      2. Choose Send to an Amazon S3 bucket.

      3. For S3 bucket ARN, specify the ARN of the existing Amazon S3 bucket to which you want to publish the flow log data.

        You can also specify a subfolder in the bucket. To specify a subfolder in the bucket, use the following ARN format: bucket_ARN/subfolder_name/. For example, to specify a subfolder named my-logs in a bucket named my-bucket, use the following ARN: arn:aws:s3:::my-bucket/my-logs/.

      Note

      We automatically create a resource policy and attach it to the specified Amazon S3 bucket. For more information, see Amazon S3 Bucket Permissions for Flow Logs.

  6. Choose Create Flow Log.

Viewing Flow Logs

You can view information about your flow logs in the Amazon EC2 and Amazon VPC consoles by viewing the Flow Logs tab for a specific resource. When you select the resource, all the flow logs for that resource are listed. The information displayed includes the ID of the flow log, the flow log configuration, and information about the status of the flow log.

To view information about your flow logs for your network interfaces

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select a network interface, and choose Flow Logs. Information about the flow logs is displayed on the tab. The Destination type column indicates the destination to which the flow logs are published.

To view information about your flow logs for your VPCs or subnets

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs or Subnets.

  3. Select your VPC or subnet, and choose Flow Logs. Information about the flow logs is displayed on the tab. The Destination type column indicates the destination to which the flow logs are published.

Viewing Flow Log Records

You can view your flow log records using the CloudWatch Logs console or Amazon S3 console, depending on the chosen destination type. It may take a few minutes after you've created your flow log for it to be visible in the console.

To view flow log records published to CloudWatch Logs

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs, and select the log group that contains your flow log. A list of log streams for each network interface is displayed.

  3. Select the log stream that contains the ID of the network interface for which to view the flow log records. For more information, see Flow Log Records.

To view flow log records published to Amazon S3

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. For Bucket name, select the bucket to which the flow logs are published.

  3. For Name, select the check box next to the log file. On the object overview panel, choose Download.

Deleting a Flow Log

You can delete a flow log using the Amazon EC2 and Amazon VPC consoles.

Note

These procedures disable the flow log service for a resource. Deleting a flow log does not delete the existing log streams from CloudWatch Logs and log files from Amazon S3. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to Amazon S3 does not remove the bucket policies and log file access control lists (ACLs).

To delete a flow log for a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces and select the network interface.

  3. Choose Flow Logs, and then choose the delete button (a cross) for the flow log to delete.

  4. In the confirmation dialog box, choose Yes, Delete.

To delete a flow log for a VPC or subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs or Subnets, and then select the resource.

  3. Choose Flow Logs, and then choose the delete button (a cross) for the flow log to delete.

  4. In the confirmation dialog box, choose Yes, Delete.

API and CLI Overview

You can perform the tasks described on this page using the command line or API. For more information about the command line interfaces and a list of available API actions, see Accessing Amazon VPC.

Create a flow log

Describe your flow logs

View your flow log records (log events)

Delete a flow log