Create a Transit Gateways Flow Logs record that publishes to Amazon CloudWatch Logs - Amazon VPC
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create a Transit Gateways Flow Logs record that publishes to Amazon CloudWatch Logs

You can create flow logs for transit gateways. If you perform these steps as an IAM user, ensure that you have permissions to use the iam:PassRole action. For more information, see Permissions for IAM users to pass a role.

You can create an Amazon CloudWatch flow log using either the Amazon VPC Console or the Amazon CLI.

To create a transit gateway flow log using the console
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Transit gateways.

  3. Choose the checkboxes for one or more transit gateways and choose Actions, Create flow log.

  4. For Destination, choose Send to CloudWatch Logs.

  5. For Destination log group, choose the name of a current destination log group.

    Note

    If the destination log group does not yet exist, entering a new name in this field will create a new destination log group.

  6. For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.

  7. For Log record format, select the format for the flow log record.

    • To use the default format, choose Amazon default format.

    • To use a custom format, choose Custom format and then select fields from Log format.

  8. (Optional) Choose Add new tag to apply tags to the flow log.

  9. Choose Create flow log.

To create a flow log using the command line

Use one of the following commands.

The following Amazon CLI example creates a flow log that captures transit gateway information. The flow logs are delivered to a log group in CloudWatch Logs called my-flow-logs, in account 123456789101, using the IAM role publishFlowLogs.

aws ec2 create-flow-logs --resource-type TransitGateway --resource-ids tgw-1a2b3c4d --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws:iam::123456789101:role/publishFlowLogs