• Home
  • Working with VPC Flow logs

VPC Flow Logs: Creating, viewing, deleting, and controlling the use of flow logs

VPC Flow Logs records information on what enters and leaves your VPC network. The flow log data can be published to Amazon S3 or CloudWatch Logs. Once created, the VPC flow log allows you to monitor every network interface in that VPC. The flow logs provide details on the:

  1. Source and destination IP addresses of users who try to access resources in your VPC.
  2. Port numbers used to access the cloud resource.
  3. Accepted and rejected traffic.
  4. Transmission protocols used by the cloud resource access request.

You can use this information to monitor traffic trends and spot malicious requests, helping to secure data in the cloud.

This article elaborates on the steps to create, view, control, and delete flow logs.

Creating VPC flow logs

To get started, you need to create a VPC flow log that publishes the flow log data to a destination defined by you. Check out this article on how to create and publish the VPC flow logs to Amazon CloudWatch or S3.

Viewing stored VPC flow logs

After creating and specifying the destination for publishing the flow logs, you can analyze the collected data in the destination to gain insights into the traffic that enters and exits your network.

Flow logs provide information on:

  1. The geographical location of users.
  2. Attempts to find open ports.
  3. Overly restrictive or permissive security group policies.

Check out the steps below to see how to view the flow logs published in a different destination.

How to view VPC flow logs from network interfaces:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, select Network Interfaces.
  3. Select the network interface whose logs you need to view, then click the Flow Logs tab. This displays information about the VPC flow logs, such as the Destination Type (which is CloudWatch in this case), the timestamp of log generation (Creation Time), and the Flow Log ID.

How to view VPC flow logs from VPCs or subnets:

  1. Open the Amazon VPC console.
  2. In the navigation pane, select Your VPCs or Subnets.
  3. Select the VPC or subnet whose logs you need to view, then click the Flow Logs tab. This displays information about the VPC flow logs, such as the Destination Type (which is S3 in this case), the timestamp of log generation (Creation Time), and the Flow Log ID.

Deleting VPC flow logs

There might be instances where you need to change an existing VPC flow log’s configuration parameters. However, modifying the parameters of an existing flow log is not possible in Amazon VPC. Instead, you must delete the existing VPC flow log and create a new one.

How to delete VPC flow logs published to CloudWatch:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, select Network Interfaces.
  3. Select the network interface whose logs you need to view, then click the Flow Logs tab.
  4. Click the delete button to delete the selected VPC flow log.
  5. Select Yes, Delete in the confirmation dialog box that appears.

How to delete VPC flow logs published to S3:

  1. Open the Amazon VPC console.
  2. In the navigation pane, select Your VPCs or subnets.
  3. Select the VPC or subnet whose logs you need to view, then click the Flow Logs tab.
  4. Click the delete button to delete the selected VPC flow log.
  5. Select Yes, Delete in the confirmation dialog box that appears.

Note: Deleting the VPC flow log only disables the flow log service and does not delete the logs that have already been published to a destination.

Controlling the use of VPC flow logs

In AWS, Identity and Access Management (IAM) users do not have permissions to create or delete VPC flow logs by default. The permission to work with VPC flow logs has to be explicitly granted to specific users or groups of users.

How to grant users permissions to create, describe, and delete VPC flow logs:

  1. In the AWS console, select IAM under the Services menu.
  2. Click Policies in the left navigation pane.
  3. Click Create policy.
  4. In the JSON tab, enter the policy statement code. Sample code to grant permissions to create, describe, and delete flow logs is given below.

    5. {

    {"Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Action": [

    "ec2:DeleteFlowLogs",

    "ec2:CreateFlowLogs",

    "ec2:DescribeFlowLogs"

    ],

    "Resource": "*"

    }

    ]

    }

  5. Click Review policy.
  6. Enter a name and description for the policy.
  7. Click Create policy.
  8. Find the recently created policy in the list of policies and click on it.
  9. In the Policy actions drop-down, click Attach.
  10. Choose the users who require access to work with flow logs.
  11. Click Attach policy.

VPC flow logs provide a single source of information for monitoring the traffic flowing through the different network interfaces and subnets in a VPC. By properly configuring the VPC flow logs to log the activities that need monitoring, you can leverage VPC flow logs to their full extent and take your business forward.

Products mentioned on this page:

Recently added chapters

     
 

Get the latest content delivered
right to your inbox!

 

RESOURCES

     
     

  Zoho Corporation Pvt. Ltd. All rights reserved.

Home »

Awards & recognition

ManageEngine named in 2022 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link