By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Logging & Monitoring Configurations

Flow Logs

Enable VPC Flow Logs for an existing VPC, subnet or network interface. Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Provide the following details to complete the template: 

  • Resource Id for which to enable Flow Logs. A resource can be a VPC, Subnet or Network Interface (ENI).
  • Log Destination: 
    • S3: Create a new S3 bucket or select an existing S3 bucket to store Flow Logs.
    • CloudWatch Logs: Select an existing CloudWatch log group or create a new log group as well as required IAM role to forward logs.
Items
3
Size
1.3 KB
Missing Parameters
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  FlowLogs:
    Type: "AWS::EC2::FlowLog"
    Properties:
      ResourceType: "VPC"
      ResourceId: ""
      TrafficType: "ALL"
      LogDestinationType: "cloud-watch-logs"
      LogGroupName: "FlowLogs"
      DeliverLogsPermissionArn:
        Fn::GetAtt:
          - "IamRoleForFlowLogs"
          - "Arn"
  FlowLogsGroup:
    Type: "AWS::Logs::LogGroup"
    Properties:
      LogGroupName: "FlowLogs"
  IamRoleForFlowLogs:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "iamRoleFlowLogsToCloudWatchLogs"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "vpc-flow-logs.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-cw-logs"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                  - "logs:DescribeLogGroups"
                  - "logs:DescribeLogStreams"
                Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field