Search⌘ K
AI Features
Home
Courses
A Complete Guide for Virtual Private Cloud Using AWS

Create and Manage VPC Flow Logs

Explore the process of creating and managing VPC flow logs in AWS. Understand how to configure IAM roles and policies to enable publishing logs to CloudWatch. Gain practical experience with commands to create, attach policies, and delete flow logs, enhancing your ability to monitor network traffic effectively.

We'll cover the following...

Having grasped the fundamentals of VPC flow logs, the next step is to learn how to create and manage them. We will create flow logs at the VPC level, enabling flow logs for the entire VPC, and then publish the logs to AWS CloudWatch.

Create an IAM role for publishing logs

To allow VPC flow logs to be published to AWS CloudWatch, the flow log must have access to and write logs to the CloudWatch log group. To grant permissions to the flow logs, we’ll create an IAMIdentity and Access Management role that the flow logs service will assume and attach the necessary permissions to it using a role policy.

Create an IAM policy

The following policy defines the permissions required to publish flow logs to AWS CloudWatch. The policy is always written in JSON in IAM.

IAM policy for publishing logs

Shell
{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "logs:CreateLogGroup",

        "logs:CreateLogStream",

        "logs:PutLogEvents",

        "logs:DescribeLogGroups",

        "logs:DescribeLogStreams"

      ],

      "Resource": "*"

    }

  ]

}


Next, we can use the following command to create ...