Use VPC Flow Logs

2020/3/111 min read
bookmark this

Create Flow logs

Select the VPC to want to use flow logs, click action then click Create flow log.

Setup Destination log group

If you choose to send to CloudWatch logs, you'll have to set up a destination log group. Go to CloudWatch and choose Log groups.

Set up IAM role for flow logs

Click set up permission on the create VPC flow logs page, this UI will only show on old UI, which will create the following policy to enable flow logs to read and write to cloud watch.

Policy Document

 
{
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

 

After setup flow logs, when you hit the EC2 using the VPC, you should see the following logs from log groups.