To use flow logs to monitor traffic in your VPC, subnet or network interface, you have to ensure we have the necessary permissions (rights) to create Flow logs. This role is needed in order to create a flow log for a VPC, subnet or a network traffic. (If you create a flow log for a subnet or VPC, each network interface in the VPC or subnet is monitored).
Flow log data is published to a log group in CloudWatch Logs, and each network interface has a unique log stream)
To create an IAM role for flow logs
– Open the IAM console at https://console.aws.amazon.com/iam/.
– In the navigation pane, choose Roles, Create role.
– Under Select type of trusted entity,
– Choose AWS service (EC2, lambda and others) and select EC2 (Allow EC2 instance to call AWS services on your behalf)
– Choose Next: Permissions.
– On the attach permissions policies, Do not select anything and (click on Next: Review)
– Enter a name for your role; for example, Chris-Flow-Logs-Role, and optionally provide a description.
– Choose Create role.
– Select the name of your role you just created and click on it to open.
– Under Permissions, choose to add inline policy.
– Choose the JSON tab as shown below
– Navigate to this URL and copy the IAM Roles for Flow Logs https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam
– Copy the IAM roles for flow logs and paste in the window as shown below
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
– Choose Review policy.
– Enter a name for your policy, and then choose to Create policy.
– and then choose to Create policy.
– In the section, IAM Roles for Flow Logs created previously (i.e, click on the role)
– In the section, IAM Roles for Flow Logs created previously,
– choose Trust relationships
– Edit trust relationship. Delete the existing policy document,
-Copy and paste in the new trust relationship policy from https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}– When you are done, choose Update Trust Policy.
Note: On the Summary page, take note of the Role ARN for your role. You need this ARN when you create your flow log.
Note: To create a flow log, view flog and delete flow log, pls follow this URL below.