AWS::EC2::FlowLog - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::EC2::FlowLog

Specifies a VPC flow log that captures IP traffic for a specified network interface, subnet, or VPC. To view the log data, use Amazon CloudWatch Logs (CloudWatch Logs) to help troubleshoot connection issues. For example, you can use a flow log to investigate why certain traffic isn't reaching an instance, which can help you diagnose overly restrictive security group rules. For more information, see VPC Flow Logs in the Amazon VPC User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::FlowLog", "Properties" : { "DeliverCrossAccountRole" : String, "DeliverLogsPermissionArn" : String, "DestinationOptions" : DestinationOptions, "LogDestination" : String, "LogDestinationType" : String, "LogFormat" : String, "LogGroupName" : String, "MaxAggregationInterval" : Integer, "ResourceId" : String, "ResourceType" : String, "Tags" : [ Tag, ... ], "TrafficType" : String } }

YAML

Type: AWS::EC2::FlowLog Properties: DeliverCrossAccountRole: String DeliverLogsPermissionArn: String DestinationOptions: DestinationOptions LogDestination: String LogDestinationType: String LogFormat: String LogGroupName: String MaxAggregationInterval: Integer ResourceId: String ResourceType: String Tags: - Tag TrafficType: String

Properties

DeliverCrossAccountRole

The ARN of the IAM role that allows the service to publish flow logs across accounts.

Required: No

Type: String

Update requires: Replacement

DeliverLogsPermissionArn

The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination.

This parameter is required if the destination type is cloud-watch-logs, or if the destination type is kinesis-data-firehose and the delivery stream and the resources to monitor are in different accounts.

Required: No

Type: String

Update requires: Replacement

DestinationOptions

The destination options.

Required: No

Type: DestinationOptions

Update requires: Replacement

LogDestination

The destination for the flow log data. The meaning of this parameter depends on the destination type.

  • If the destination type is cloud-watch-logs, specify the ARN of a CloudWatch Logs log group. For example:

    arn:aws:logs:region:account_id:log-group:my_group

    Alternatively, use the LogGroupName parameter.

  • If the destination type is s3, specify the ARN of an S3 bucket. For example:

    arn:aws:s3:::my_bucket/my_subfolder/

    The subfolder is optional. Note that you can't use AWSLogs as a subfolder name.

  • If the destination type is kinesis-data-firehose, specify the ARN of a Kinesis Data Firehose delivery stream. For example:

    arn:aws:firehose:region:account_id:deliverystream:my_stream

Required: No

Type: String

Update requires: Replacement

LogDestinationType

The type of destination for the flow log data.

Default: cloud-watch-logs

Required: No

Type: String

Allowed values: cloud-watch-logs | s3 | kinesis-data-firehose

Update requires: Replacement

LogFormat

The fields to include in the flow log record, in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see Flow log records in the Amazon VPC User Guide or Transit Gateway Flow Log records in the Amazon Transit Gateway Guide.

Specify the fields using the ${field-id} format, separated by spaces.

Required: No

Type: String

Update requires: Replacement

LogGroupName

The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs.

This parameter is valid only if the destination type is cloud-watch-logs.

Required: No

Type: String

Update requires: Replacement

MaxAggregationInterval

The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. The possible values are 60 seconds (1 minute) or 600 seconds (10 minutes). This parameter must be 60 seconds for transit gateway resource types.

When a network interface is attached to a Nitro-based instance, the aggregation interval is always 60 seconds or less, regardless of the value that you specify.

Default: 600

Required: No

Type: Integer

Update requires: Replacement

ResourceId

The ID of the resource to monitor. For example, if the resource type is VPC, specify the ID of the VPC.

Required: Yes

Type: String

Update requires: Replacement

ResourceType

The type of resource to monitor.

Required: Yes

Type: String

Allowed values: NetworkInterface | Subnet | VPC | TransitGateway | TransitGatewayAttachment

Update requires: Replacement

Tags

The tags to apply to the flow logs.

Required: No

Type: Array of Tag

Update requires: No interruption

TrafficType

The type of traffic to monitor (accepted traffic, rejected traffic, or all traffic). This parameter is not supported for transit gateway resource types. It is required for the other resource types.

Required: No

Type: String

Allowed values: ACCEPT | ALL | REJECT

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the flow log ID, such as fl-123456abc123abc1.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Id

The ID of the flow log. For example, fl-123456abc123abc1.

Examples

Publish a flow log to CloudWatch Logs to monitor all traffic

The following example creates a flow log for the specified VPC, and captures all traffic types. Amazon EC2 publishes the logs to the FlowLogsGroup log group.

JSON

{ "MyFlowLog": { "Type": "AWS::EC2::FlowLog", "Properties": { "DeliverLogsPermissionArn": { "Fn::GetAtt": [ "FlowLogRole", "Arn" ] }, "LogGroupName": "FlowLogsGroup", "ResourceId": { "Ref": "MyVPC" }, "ResourceType": "VPC", "TrafficType": "ALL" } } }

YAML

MyFlowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn LogGroupName: FlowLogsGroup ResourceId: !Ref MyVPC ResourceType: VPC TrafficType: ALL

Publish a custom format flow log to CloudWatch Logs for REJECT traffic

The following example creates a flow log for the specified subnet and captures REJECT traffic. The flow log uses a custom log format (the LogFormat property uses the ${field-id} format, separated by spaces). Amazon EC2 aggregates the logs over 60 second intervals, and publishes the logs to the FlowLogsGroup log group. The flow log is created with two tags.

JSON

{ "MyDetailedFlowLogDeliveringToCloudWatchLogs": { "Type": "AWS::EC2::FlowLog", "Properties": { "ResourceId": { "Ref": "MySubnet" }, "ResourceType": "Subnet", "TrafficType": "REJECT", "LogGroupName": "FlowLogsGroup", "DeliverLogsPermissionArn": { "Fn::GetAtt": [ "FlowLogRole", "Arn" ] }, "LogFormat": "${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}", "MaxAggregationInterval": 60, "Tags": [ { "Key": "Name", "Value": "FlowLogForSubnetA" }, { "Key": "Purpose", "Value": "RejectTraffic" } ] } } }

YAML

MyDetailedFlowLogDeliveringToCloudWatchLogs: Type: AWS::EC2::FlowLog Properties: ResourceId: !Ref MySubnet ResourceType: Subnet TrafficType: REJECT LogGroupName: FlowLogsGroup DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn LogFormat: ${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} MaxAggregationInterval: 60 Tags: - Key: Name Value: FlowLogForSubnetA - Key: Purpose Value: RejectTraffic

Publish a custom format flow log to Amazon S3 for ACCEPT traffic

The following example creates a flow log for the specified subnet and captures ACCEPT traffic. The flow log uses a custom log format (the LogFormat property uses the ${field-id} format, separated by spaces). Amazon EC2 aggregates the logs over 60 second intervals, and publishes the logs to an Amazon S3 bucket that's referenced by its ARN, MyS3Bucket.Arn. The logs are published in parquet format in Hive-compatible prefixes partitioned on an hourly basis. The flow log is created with two tags.

JSON

{ "MyFlowLogDeliveringToS3": { "Type": "AWS::EC2::FlowLog", "Properties": { "ResourceId": { "Ref": "MySubnet" }, "ResourceType": "Subnet", "TrafficType": "ACCEPT", "LogDestination": { "Fn::GetAtt": [ "MyS3Bucket", "Arn" ] }, "LogDestinationType": "s3", "LogFormat": "${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}", "MaxAggregationInterval": 60, "DestinationOptions": { "FileFormat": "parquet", "HiveCompatiblePartitions": true, "PerHourPartition": true }, "Tags": [ { "Key": "Name", "Value": "FlowLogForSubnetB" }, { "Key": "Purpose", "Value": "AcceptTraffic" } ] } } }

YAML

MyFlowLogDeliveringToS3: Type: AWS::EC2::FlowLog Properties: ResourceId: !Ref MySubnet ResourceType: Subnet TrafficType: ACCEPT LogDestination: !GetAtt MyS3Bucket.Arn LogDestinationType: s3 LogFormat: ${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} MaxAggregationInterval: 60 DestinationOptions: FileFormat: parquet HiveCompatiblePartitions: true PerHourPartition: true Tags: - Key: Name Value: FlowLogForSubnetB - Key: Purpose Value: AcceptTraffic