Having grasped the fundamentals of VPC flow logs, the next step is to learn how to create and manage them. We will create flow logs at the VPC level, enabling flow logs for the entire VPC, and then publish the logs to AWS CloudWatch.

Create an IAM role for publishing logs

To allow VPC flow logs to be published to AWS CloudWatch, the flow log must have access to and write logs to the CloudWatch log group. To grant permissions to the flow logs, we’ll create an IAMIdentity and Access Management role that the flow logs service will assume and attach the necessary permissions to it using a role policy.

Create an IAM policy

The following policy defines the permissions required to publish flow logs to AWS CloudWatch. The policy is always written in JSON in IAM.

IAM policy for publishing logs

Get hands-on with 1200+ tech skills courses.