In this article, we shall discuss “AWS Flow Logs IAM Role Setup” To effectively monitor traffic within your VPC, subnet, or network interface using flow logs, it’s crucial to have the required permissions to create AWS Flow Logs roles. Please, see Logon Failure Reasons for Windows Event Viewer, how to Add and Remove Multiple Virtual Desktops in Windows, and KDC reply did not match expectations while getting initial credential.

However, this role enables the creation of flow logs for VPCs, subnets, or network traffic, ensuring comprehensive monitoring across all network interfaces within the designated VPC or subnet.

To enhance your AWS environment, create an AWS Flow Logs Role. However, This role ensures the efficient publishing of flow log data to a dedicated log group in CloudWatch Logs, with each network interface having its unique log stream.

Also, see How to add servers to the Trusted Hosts list, and Preparation failed: Error during connect in the default daemon configuration on Windows, the docker client must be run with elevated privileges.

Create an IAM role

To create an IAM role for flow logs, open the IAM console at https://console.aws.amazon.com/iam/.

In the navigation pane, choose Roles, Create role. Under Select type of trusted entity, choose AWS service (EC2, lambda and others) and select EC2 (Allow EC2 instance to call AWS services on your behalf)

Choose Next: Permissions. On the attached permissions policies, Do not select anything and (click on Next: Review.

Enter a name for your role; for example, Chris-Flow-Logs-Role, and optionally provide a description. Choose Create role.

Please, see Creating IAM Users, Adding MFA and Policies on AWS, How to prevent emails from going into a junk folder in Office365, and Administer Cisco ASA: Mastering CLI Management.

Add Policy

Moreover, After successfully creating the AWS Flow Logs Role, select its name and click to open it.

Under Permissions, choose to add inline policy. Choose the JSON tab as shown below

Nonetheless Navigate to this URL and copy the IAM Roles for Flow logs. Copy the IAM roles for flow logs and paste in the window as shown below

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

– Choose Review policy.
– Enter a name for your policy, and then choose to Create policy.
– and then choose to Create policy.
– In the section, IAM Roles for Flow Logs created previously (i.e, click on the role)
– In the section, IAM Roles for Flow Logs created previously,
– choose Trust relationships

To optimize network monitoring. Start by editing the trust relationship, then proceed to delete the existing policy document.

Copy and paste in the new trust relationship policy from https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

Please, see Creating Profiles for your AWS Access Credentials for AWS Toolkit in Visual Studio, and MFA on Root Account: Create a User on AWS and Register MFA.

Update Trust Policy

When you are done, choose Update Trust Policy.

Note: On the Summary page, take note of the Role ARN for your role. You need this ARN when you create your flow log. To create a flow log, view flog and delete flow log, pls follow this URL below.

I hope you found this article on AWS Flow Logs IAM Role Setup very useful. Please, feel free to leave a comment below.