Bootstrap FreeKB - Amazon Web Services (AWS) - Create Flow Log using the AWS CLI
Amazon Web Services (AWS) - Create Flow Log using the AWS CLI
Updated:   |  Amazon Web Services (AWS) articles

This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

Flow Logs are using to log requests coming in and going out of a Network Interface. For example, perhaps you have a Network Log Balancer. A Flow Log can be used to log the requests coming in and going out of the Network Interfaces being used by the Network Load Balancer.

You can create a Flow Log:

  • For all of the Network Interfaces in a Virtual Private Cloud (VPC)
  • For specific Network Interfaces in a Virtual Private Cloud (VPC)

The Flow Logs can be published to:

  • A Cloudwatch Alarm Log Group
  • An S3 Bucket

A flow log by default looks something like this.

version account-id   interface-id          srcaddr        dstaddr       srcport dstport protocol packets bytes start      end        action log-status
2       123456789012 eni-07a2b417b8527403c 35.203.211.127 172.31.47.140 54135   53522   6        1       44    1696986432 1696986437 ACCEPT OK

 

The Linux date command can be used to convert the start and end integers into a human readable date time.

~]$ echo $(date -d @1696986463)
Tue Oct 10 20:07:43 CDT 2023

 

If you want to publish the Flow Logs to a Cloudwatch Alarm Log Group, the aws logs describe-log-groups command can be used to determine if the Log Group exists. If not, the aws logs create-log-group command can be used to create a Log Group. 

aws logs create-log-group --log-group my-log-group

 

If you want to create a Flow Log for all of the Network Interfaces in a Virtual Private Cloud, use --resource-type VPC. In this example, the Flow Logs will be delivered to Cloudwatch Log Group my-log-group.

aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-123456789012 \
--traffic-type ALL \
--log-group-name my-log-group \
--deliver-logs-permission-arn arn:aws:iam::123456789012:role/publishFlowLogs

 

In this example, the Flow Logs will be delivered S3 Bucket my-bucket.

aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-123456789012 \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::my-bucket

 

Or, to include a prefix in the S3 Bucket.

aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-123456789012 \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::my-bucket/my-prefix

 

If you want to create a Flow Log for specific Network Interfaces in a Virtual Private Cloud, the aws ec2 describe-network-interfaces command can be used to get the ID of the Network Interfaces you want to enable Flow Logs.

aws ec2 describe-network-interfaces --filters Name=interface-type,Values=network_load_balancer | grep -i eni

 

Which should return something like this.

"NetworkInterfaceId": "eni-07a2b417b8527403c",
"NetworkInterfaceId": "eni-089af58bc3e8f127a",


And then you could create a Flow Log for one or more Network Interface using --resource-type NetworkInterface.

aws ec2 create-flow-logs \
--resource-type NetworkInterface \
--resource-ids eni-07a2b417b8527403c \
--traffic-type ALL \
--log-group-name my-flow-logs \
--deliver-logs-permission-arn arn:aws:iam::123456789012:role/publishFlowLogs

 

If the Flow Log is successfully created, something like this should be returned.

{
    "ClientToken": "09Q6AJF2nPSiIifDbt41UNwH5e7rBIo0cxau/d+pzY8=",
    "FlowLogIds": [
        "fl-0cc42367815ef1617"
    ],
    "Unsuccessful": []
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter f65b15 in the box below so that we can be sure you are a human.