Work with flow logs
You can work with flow logs using consoles for Amazon EC2 and Amazon VPC.
Tasks
1. Control the use of flow logs with IAM
By default, users do not have permission to work with flow logs. You can create an IAM role with a policy attached that grants users the permissions to create, describe, and delete flow logs.
The following is an example policy that grants users full permissions to create, describe, and delete flow logs.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteFlowLogs", "ec2:CreateFlowLogs", "ec2:DescribeFlowLogs" ], "Resource": "*" } ] }
For more information, see How Amazon VPC works with IAM.
2. Create a flow log
You can create flow logs for your VPCs, subnets, or network interfaces. When you create a flow log, you must specify a destination for the flow log. For more information, see the following:
3. Tag a flow log
You can add or remove tags for a flow log at any time.
To manage tags for a flow log
-
Do one of the following:
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. In the navigation pane, choose Network Interfaces. Select the checkbox for the network interface. -
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. In the navigation pane, choose Your VPCs. Select the checkbox for the VPC. -
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. In the navigation pane, choose Subnets. Select the checkbox for the subnet.
-
-
Choose Flow Logs.
-
Choose Actions, Manage tags.
-
To add a new tag, choose Add new tag and enter the key and value. To remove a tag, choose Remove.
-
When you are finished adding or removing tags, choose Save.
4. Delete a flow log
You can delete a flow log at any time. After you delete a flow log, it can take several minutes to stop collecting data.
Deleting a flow log does not delete the log data from the destination or modify the destination resource. You must delete the existing flow log data directly from the destination, and clean up the destination resource, using the console for the destination service.
To delete a flow log
-
Do one of the following:
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. In the navigation pane, choose Network Interfaces. Select the checkbox for the network interface. -
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. In the navigation pane, choose Your VPCs. Select the checkbox for the VPC. -
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. In the navigation pane, choose Subnets. Select the checkbox for the subnet.
-
-
Choose Flow Logs.
-
Choose Actions, Delete flow logs.
-
When prompted for confirmation, type
deleteand then choose Delete.
API and CLI overview
You can perform the tasks described on this page using the command line or API. For more information about the command line interfaces and a list of available API actions, see Working with Amazon VPC.
Create a flow log
-
create-flow-logs (AWS CLI)
-
New-EC2FlowLog (AWS Tools for Windows PowerShell)
-
CreateFlowLogs (Amazon EC2 Query API)
Describe a flow log
-
describe-flow-logs (AWS CLI)
-
Get-EC2FlowLog (AWS Tools for Windows PowerShell)
-
DescribeFlowLogs (Amazon EC2 Query API)
Tag a flow log
-
create-tags and delete-tags (AWS CLI)
-
New-EC2Tag and Remove-EC2Tag (AWS Tools for Windows PowerShell)
-
CreateTags and DeleteTags (Amazon EC2 Query API)
Delete a flow log
-
delete-flow-logs (AWS CLI)
-
Remove-EC2FlowLog (AWS Tools for Windows PowerShell)
-
DeleteFlowLogs (Amazon EC2 Query API)
