Search⌘ K
AI Features
Home
Courses
A Complete Guide for Virtual Private Cloud Using AWS

Create and Manage VPC Flow Logs

Understand how to create and manage Amazon VPC flow logs by configuring IAM roles and policies, publishing logs to CloudWatch, and monitoring network traffic to improve your VPC visibility and security.

We'll cover the following...

Having grasped the fundamentals of VPC flow logs, the next step is to learn how to create and manage them. We will create flow logs at the VPC level, enabling flow logs for the entire VPC, and then publish the logs to AWS CloudWatch.

Create an IAM role for publishing logs

To allow VPC flow logs to be published to AWS CloudWatch, the flow log must have access to and write logs to the CloudWatch log group. To grant permissions to the flow logs, we’ll create an IAMIdentity and Access Management role that the flow logs service will assume and attach the necessary permissions to it using a role policy.

Create an IAM policy

The following policy defines the permissions required to publish flow logs to AWS CloudWatch. The policy is always written in JSON in IAM.

IAM policy for publishing logs

Shell
{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "logs:CreateLogGroup",

        "logs:CreateLogStream",

        "logs:PutLogEvents",

        "logs:DescribeLogGroups",

        "logs:DescribeLogStreams"

      ],

      "Resource": "*"

    }

  ]

}


Next, we can use the following command to create the aforementioned policy in AWS:

Markdown
aws iam create-policy --policy-name POLICY_NAME --policy-document file://policy
...