VPC Flow Logs - an Introduction


Brett Gillett

3 minute read

Brett Gillett

3 minute read

If you’re running solutions on the AWS platform, you most likely have a Virtual Private Cloud (VPC). The majority of deployed VPCs don’t have an essential feature enabled - VPC Flow Logs.

VPC Flow logs provide insight into the traffic flowing in (and out) of your VPC. You can enable logging for an entire VPC, subnets or network interfaces within a VPC. During the setup process, you can decide what you want to record - Rejected, Accepted, or All traffic.

Enabling Flow Logs is super simple. You can use the AWS Management Console, CLI, SDK, or an Infrastructure as Code tool and be collecting logs in no time.

During the setup process, you’ll need to decide where you want to store logging data. Currently, you can use CloudWatch Logs or the Simple Storage Service (S3) for log storage.

Here’s an example of how you can use the AWS CLI to enable Flow Logs on a VPC:

1
2
3
 aws ec2 create-flow-logs --deliver-logs-permission-arn [IAM-ROLE-ARN] \
 --log-group-name [NAME] --resource-ids [VPC ID] --resource-type VPC \
 --traffic-type ALL --profile [PROFILE] --region [REGION]
NOTE: The above command assumes you already have the required IAM role setup.

Here’s a snippet of YAML code you could use in CloudFormation to add VPC Flow Logs a Virtual Private Cloud (VPC).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
logGroup:
  Type: AWS::Logs::LogGroup
  Properties:
    LogGroupName: !Sub '${AWS::StackName}-lg'
    RetentionInDays: 14

flowLog:
  Type: AWS::EC2::FlowLog
  DependsOn:
    - vpc
    - logGroup
  Properties:
    DeliverLogsPermissionArn: {'Fn::ImportValue': !Sub '${iamTemplate}-flowLogs-role'}
    LogGroupName: !Ref logGroup
    ResourceId: !Ref vpc
    ResourceType: VPC
    TrafficType: ALL

CloudWatch Logs

If you decide to use CloudWatch Logs, you’ll end up with logs streams for each network interface in the monitored VPC. From there, you could create Metric Filters or a Lambda subscription to process log data.

You can also use the Insights feature to analyze log data using queries.

To publish data to CloudWatch Logs, you’re going to need an IAM Role with a trust policy. The role allows the Flow Logs service to write data to Log Groups.

Simple Storage Service (S3)

If you decide on S3, you’ll end up with a series of objects in the bucket you assign as the destination. You can analyze Flow Log data in your S3 bucket using Athena.

S3 buckets are private by default which means before writing to S3 you’re going to need to assign a bucket policy to allow access.

VPC Flow Logs - a fantastic tool

Simple to setup and cost-effective VPC Flow Logs should be part of every VPC you deploy. It provides you with valuable information for troubleshooting both security groups and NACLs. It may also help you meet compliance requirements and is a crucial AWS Security Service.


Orbit

Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?