To effectively monitor traffic within your VPC, subnet, or network interface using flow logs, it’s crucial to have the required permissions to create AWS Flow Logs roles. However, This role enables the creation of flow logs for VPCs, subnets, or network traffic, ensuring comprehensive monitoring across all network interfaces within the designated VPC or subnet.
To enhance your AWS environment, create an AWS Flow Logs Role. However, This role ensures the efficient publishing of flow log data to a dedicated log group in CloudWatch Logs, with each network interface having its unique log stream.
To create an IAM role for flow logs
– Open the IAM console at https://console.aws.amazon.com/iam/.
– In the navigation pane, choose Roles, Create role.
– Under Select type of trusted entity,
– Choose AWS service (EC2, lambda and others) and select EC2 (Allow EC2 instance to call AWS services on your behalf)
– Choose Next: Permissions.
– On the attached permissions policies, Do not select anything and (click on Next: Review)
– Enter a name for your role; for example, Chris-Flow-Logs-Role, and optionally provide a description.
– Choose Create role.
– Moreover, After successfully creating the AWS Flow Logs Role, select its name and click to open it.
– Under Permissions, choose to add inline policy.
– Choose the JSON tab as shown below
– Nonetheless Navigate to this URL and copy the IAM Roles for Flow Logs https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam
– Copy the IAM roles for flow logs and paste in the window as shown below
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
– Choose Review policy.
– Enter a name for your policy, and then choose to Create policy.
– and then choose to Create policy.
– In the section, IAM Roles for Flow Logs created previously (i.e, click on the role)
– In the section, IAM Roles for Flow Logs created previously,
– choose Trust relationships
– To optimize network monitoring. Start by editing the trust relationship, then proceed to delete the existing policy document.
-Copy and paste in the new trust relationship policy from https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}– When you are done, choose Update Trust Policy.
Note: On the Summary page, take note of the Role ARN for your role. You need this ARN when you create your flow log.
Note: To create a flow log, view flog and delete flow log, pls follow this URL below.