- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi there,
It looks like VPC Flow Log is unable to assume the role. Could you check the IAM role associated with the VPC Flow log and make sure it has required Trust Relationship that is allowing VPC Flow Log to assume that role. The trust relationship should look like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
This can also be seen from Step 9 of this document which is creating a Role for VPC Flow Log and changing the Trust Relationship policy from Allowing EC2 to Allowing VPC Flow Log. Once VPC Flow Log is able to assume the associated role the Flow Logs should start appearing on your CloudWatch Log Group, considering you have confirmed that adequate permissions are in place on the role.
Additionally, it seems like you are using existing role possibly used by other services such as EC2 - if this is the case we recommend you to create a separate new role just for VPC Flow Logs purpose to avoid any unintentional issues caused by permission issues. You can follow the document provided above to create the required role.
Hope this helps!
Do you have an IAM role associated with the VPC Flow Log with enough permissions to publish into CloudWatch logs? If not, check this link - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html -. It explains the permissions needed.
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
yes, my iam role is AdminAccess for VPC flow log, there is error message "log destination is not accessable", but my log destination is /aws/vpc/flowlog1, if I double click this destination, it will go to the log group, but no logstream. not sure why