Work with flow logs - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Work with flow logs

You can work with flow logs using consoles for Amazon EC2 and Amazon VPC.

Control the use of flow logs

By default, users do not have permission to work with flow logs. You can create an IAM role with a policy attached that grants users the permissions to create, describe, and delete flow logs.

The following is an example policy that grants users full permissions to create, describe, and delete flow logs.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteFlowLogs", "ec2:CreateFlowLogs", "ec2:DescribeFlowLogs" ], "Resource": "*" } ] }

For more information, see How Amazon VPC works with IAM.

Create a flow log

You can create flow logs for your VPCs, subnets, or network interfaces. When you create a flow log, you must specify a destination for the flow log. For more information, see the following:

View a flow log

You can view information about the flow logs for a resource, such as a network interface. The information displayed includes the ID of the flow log, the flow log configuration, and information about the status of the flow log.

To view information about flow logs
  1. Do one of the following:

  2. Choose Flow Logs.

  3. (Optional) To view the flow log data, open the log destination.

Tag a flow log

You can add or remove tags for a flow log at any time.

To manage tags for a flow log
  1. Do one of the following:

  2. Choose Flow Logs.

  3. Choose Actions, Manage tags.

  4. To add a new tag, choose Add new tag and enter the key and value. To remove a tag, choose Remove.

  5. When you are finished adding or removing tags, choose Save.

Delete a flow log

You can delete a flow log at any time. After you delete a flow log, it can take several minutes to stop collecting data.

Deleting a flow log does not delete the log data from the destination or modify the destination resource. You must delete the existing flow log data directly from the destination, and clean up the destination resource, using the console for the destination service.

To delete a flow log
  1. Do one of the following:

  2. Choose Flow Logs.

  3. Choose Actions, Delete flow logs.

  4. When prompted for confirmation, type delete and then choose Delete.

API and CLI overview

You can perform the tasks described on this page using the command line or API. For more information about the command line interfaces and a list of available API actions, see Working with Amazon VPC.

Create a flow log
Describe a flow log
Tag a flow log
Delete a flow log