Network flow logs are gathered, archived, and analyzed by numerous organizations. They utilize this data to diagnose connectivity and security problems and check that network access rules are functioning as intended.
Amazon Virtual Private Cloud (VPC) allows us to better support this crucial part of network monitoring, through VPC Flow Logs. Relevant network traffic will be logged to CloudWatch Logs once it has been enabled for a specific VPC, subnet belonging to a VPC, or an Elastic Network Interface (ENI) located in a VPC. These logs can be sent to storage and analysis by your own applications or third-party tools.
You can also set metrics to assist in spotting trends and patterns, as well as alarms that will be triggered if particular types of traffic are discovered. Information on permitted and prohibited traffic is among the data gathered (based on security group and network ACL rules). Additionally, these log entries contains packet and byte counts, source and destination IP addresses, ports, the IANA protocol number, the time the flow was seen, and an action (ACCEPT or REJECT).
Enabling VPC Flow Logs can be done via the AWS Console, CLI, or making calls to the API. Following along below, we will use the latter via Terraform to obtain this logical configuration:
VPC
In this example, i will use the default VPC:
CloudWatch Log Group
The below section creates a log group with the name of vpcflowlogGroup with a suffix of the VPC ID and a retention period of 1 month (you can change this attribute to have a retention of up to 10 years or to never expire):
Role
The below entry creates the role needed for the vpc-flow-logs service to assume via the Security Token Service (STS):
Policy
The below policy is created and attached to the Role that was created above. This policy has specific actions that can be taken against the Logs service.
VPC Flow Log
Finally, everything above can be connected to the main guest of the party, the VPC Flow Log. As you can see, the creation of the Flow Log includes attaching the Role, the destination of the log entries to the CloudWatch Log Group, the types of traffic to capture (Reject, Accept, or All), and, of course, the VPC to monitor:
Call Outs
Flows are captured, analyzed, and stored within roughly 10-minute-long capture windows. About 15 minutes after you build the Flow Log, the log group will be generated and the first flow records will show up in the console.
Any of the following traffic will NOT be present in the flow logs:
- Traffic, including requests for privately hosted zones, to Amazon DNS servers
- Windows license activation activity for Amazon-provided licenses
- Queries about instance metadata
- Requests to or from DHCP