Create a flow log that publishes to CloudWatch Logs

You can create flow logs for your VPCs, subnets, or network interfaces. If you perform these steps as a user using a particular IAM role, ensure that the role has permissions to use the iam:PassRole action.

Prerequisite

Verify that the IAM principal that you are using to make the request has permissions to call the iam:PassRole action.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:PassRole"],
      "Resource": "arn:aws-cn:iam::account-id:role/flow-log-role-name"
    }
  ]
}

To create a flow log using the console

Do one of the following:
- Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/. In the navigation pane, choose Network Interfaces. Select the checkbox for the network interface.
- Open the Amazon VPC console at https://console.amazonaws.cn/vpc/. In the navigation pane, choose Your VPCs. Select the checkbox for the VPC.
- Open the Amazon VPC console at https://console.amazonaws.cn/vpc/. In the navigation pane, choose Subnets. Select the checkbox for the subnet.
Choose Actions, Create flow log.
For Filter, specify the type of traffic to log. Choose All to log accepted and rejected traffic, Reject to log only rejected traffic, or Accept to log only accepted traffic.
For Maximum aggregation interval, choose the maximum period of time during which a flow is captured and aggregated into one flow log record.
For Destination, choose Send to CloudWatch Logs.
For Destination log group, choose the name of an existing log group or enter the name of a new log group that will be created when you create this flow log.
For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.
For Log record format, select the format for the flow log record.
- To use the default format, choose Amazon default format.
- To use a custom format, choose Custom format and then select fields from Log format.
For Additional metadata, select if you want to include metadata from Amazon ECS in the log format.
(Optional) Choose Add new tag to apply tags to the flow log.
Choose Create flow log.

To create a flow log using the command line

Use one of the following commands.

create-flow-logs (Amazon CLI)
New-EC2FlowLogs (Amazon Tools for Windows PowerShell)

The following Amazon CLI example creates a flow log that captures all accepted traffic for the specified subnet. The flow logs are delivered to the specified log group. The --deliver-logs-permission-arn parameter specifies the IAM role required to publish to CloudWatch Logs.


aws ec2 create-flow-logs --resource-type Subnet --resource-ids subnet-1a2b3c4d --traffic-type ACCEPT --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws-cn:iam::123456789101:role/publishFlowLogs

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

IAM role for publishing flow logs to CloudWatch Logs

View flow log records with CloudWatch Logs