Follow these steps to set up a flow-log:
- Start by defining the template version and description:
AWSTemplateFormatVersion: "2010-09-09"
Description: Flow logs for networking resources
- Define Parameters for the template. In this case, it is just the VpcId where we will enable flow-logs:
Parameters:
VpcId:
Type: String
Description: The VPC where we will enable flow logs
- Create the Resources section of the template and define the log group to use to send our flow logs to:
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: LogGroup
- Next, we define the IAM role that will give the flow-logs service permission to write the logs:
IamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Service: vpc-flow-logs.amazonaws.com
Action: sts:AssumeRole
Policies:
-
PolicyName: CloudWatchLogsAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
Effect: Allow
Res
- Finally, we define the flow-log itself:
FlowLog:
Type: AWS::EC2::FlowLog
DependsOn: LogGroup
Properties:
DeliverLogsPermissionArn: !GetAtt IamRole.Arn
LogGroupName: LogGroup
ResourceId: !Ref VpcId
ResourceType: VPC
TrafficType: ALL
- Save the template and give it a filename such as 05-02-NetworkLogging.yaml.
- Create the flow-logs and associated resources by creating the template with the following command:
aws cloudformation create-stack
--stack-name VpcFlowLogs
--template-body file://05-02-NetworkLogging.yml
--capabilities CAPABILITY_IAM
--parameters ParameterKey=VpcId,ParameterValue=<your-vpc-id>
Once launched (and assuming you have network activity), you will be able to see your flow-log in the CloudWatch Logs console. If you don't see any flow-logs, you may need to create a resource such as an EC2 instance and SSH into it.