Configure AWS VPC Flow logs to CloudWatch Log group
To
You can download this article in PDF format via the link below to support us.
Download the guide in PDF format
turn off
To
To
To
In this short tutorial, we will discuss how to enable VPC flow logs in your AWS account. VPC flow log is an AWS function that can capture IP traffic information that traverses network interfaces in the VPC. We will configure to publish the collected data to the Amazon CloudWatch Logs group, but S3 can also be used as a target. Since flow log data is collected outside the network traffic path, it will not affect network throughput or latency.
By accessing VPC flow logs, you can:
- Monitor the traffic reaching your instance
- Determine the direction of traffic to and from the network interface
- Diagnose too strict security group rules
You can create or delete flow logs without affecting network performance. This can be done on the VPC, subnet or network interface. When enabled at the VPC or subnet level, each network interface in the subnet or VPC will be monitored.
Configure AWS VPC Flow logs to CloudWatch Log group
Before you begin, you need to install and configure the AWS CLI. For the complete article writing method, please refer to the following article.
Install and use AWS CLI on Linux-Ubuntu / Debian / CentOS
Confirm that your AWS CLI is running by obtaining an identity.
aws sts get-caller-identity
You also need to have administrative permissions in your AWS account to complete this tutorial. Access to the AWS console is also important for data visualization.
Step 1: Create IAM policies and roles
The first step is to create an IAM role that enables the service to forward logs on our behalf. You can do this on the AWS console or CLI. This is an IAM role used to publish flow logs to CloudWatch log groups.
Before creating a role, you need an IAM policy that can be created in the following locations IAM>Strategy>Create Policy > JSON. Paste the data below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Name the policy and finish creating it.
To create an IAM role, go to Identity and Access Management (IAM) > character of > Creating a Role. For trusted entity type, select “AWS services“with “EC2”
Click “Next” to attach permissions. in”Additional permissions policy“Page, select the strategy you created earlier.
Name the role to complete the creation. I call me IAM-release process log, Has the same name as the policy.
Copy Role ARN And save it somewhere.
Step 2: Edit the trust relationship
You also need to enable the trust relationship so that the IAM role can access the CloudWatch Log group. Go to AWS Roles and click on the role you created in step 1.
Click “Edit trust policy“To update the policy.
Add the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Click “Update trust policy“Button to update the relationship.
Step 3: Create CloudWatch Log group
The CloudWatch log group defines where to record the log stream. It was created on Services> CloudWatch> Logs> Operations> Create Log Group.
Click the Create button to proceed.
Step 4: Enable AWS VPC flow logs
To enable the flow log, select service > VPC > Your VPC > YourVPCName>Create flow log
Fill in all required information:
- Name the flow log
- Select the type of traffic filter
- Aggregation interval
- Target-can be CloudWatch Logs or Amazon S3 bucket
- Target log group in CloudWatch
- IAM role has permission to publish to selected log group
- Log format
My settings are shown in the picture below.
Click the Create Flow Log button to complete the setting. You can confirm the success of the creation by listing the available flow logs.
Clicking on the “Target Name” link should take you to the “Logs” group, where you can filter the log stream. You can also enable it from the CLI:
aws ec2 create-flow-logs --resource-type VPC --resource-ids --traffic-type ALL --log-group-name --deliver-logs-permission-arn
More articles about AWS:
Use EKS to easily set up a Kubernetes cluster on AWS
Create AWS IAM users and groups using AWS CLI
How to rename IAM username on AWS
Learning materials:
AWS Certified Solution Architect-Assistant 2020
★★★★★
(189232)
$ 15.43
$154.29
In stock
Udemy.com
Final AWS Certified Solution Architect 2020 Assistant
★★★★★
(42835)
$ 15.43
$154.29
In stock
Udemy.com
AWS Certified Developer-Assistant 2020
★★★★☆
(37528)
$20.18
$ 178.02
In stock
Udemy.com
The final AWS Certified Developer Assistant 2020-New!
★★★★★
(25975)
$26.11
$237.37
In stock
Udemy.com
Amazon Web Services (AWS) certification-4 certifications!
★★★★☆
(16244)
$ 15.43
$154.29
In stock
Udemy.com
You can download this article in PDF format via the link below to support us.
Download the guide in PDF format
turn off
To
To
To