How do I activate Amazon VPC Flow Logs?

3 minute read

I want to use the AWSSupport-EnableVPC Flowlogs runbook to activate Amazon VPC Flow Logs.

Short description

Amazon Virtual Private Cloud (VPC) Flow Logs is a monitoring service that captures detailed information about the traffic going to and from the network interfaces in your VPCs.

You can activate VPC Flow Logs to capture data at a network interface level, at the VPC subnet level, or for the entire VPC. VPC Flow Logs also help in troubleshooting overly restrictive security group rules.

You can publish flow logs to any of these destinations: Amazon CloudWatch Logs, Amazon Simple Storage Service (Amazon S3), or Amazon Kinesis Data Firehose. For more information, see AWSSuppot-EnableVPCFlowlogs.
Note: Data ingestion and archival charges for vended logs apply when you publish flow logs. For more information about pricing, see VPC Flow log pricing.



Before you run the automation, make sure that your AWS Identity and Access Management (IAM) user or role has the permissions listed in Required IAM permissions.

Set up the automation workflow

Follow these steps to configure the automation workflow:

  1. Navigate to the AWS Systems Manager console.
  2. In the navigation pane, choose Documents.
  3. In the search bar, enter AWSSupport-EnableVPCFlowLogs.
  4. Select AWSSupport-EnableVPCFlowLogs.
  5. Select Execute automation.
  6. For the input parameters enter the following:
  • ResourceIds (required): A comma-separated list of the IDs for the subnets, elastic network interfaces, or VPC that you want to create a flow log for.
  • TrafficType (required): The type of traffic to log. You can log traffic that the resource accepts or rejects, or you can log all traffic.
  • LogDestinationType (required): Where you publish the flow log data. If you specify LogDestinationType as Amazon Simple Storage Service (S3), don't specify DeliverLogsPermissionArn or LogGroupName.
  • DeliverLogsPermissionArn (optional): The Amazon Resource Name (ARN) for the IAM role that permits Amazon Elastic Compute Cloud (Amazon EC2) to publish flow logs to the CloudWatch Logs log group in your account. If you specify Amazon S3 for the LogDestinationType parameter, don't provide a value for this parameter.
  • LogDestinationARN (optional): The destination where the flow log data gets published. Using AWS Support Automation Workflow (SAW) you can publish flow log data to a CloudWatch Logs log group or to an Amazon S3 bucket.
  • LogFormat (optional): The fields to include in the flow log record, in the order in which they should appear. For a list of flow log formats and fields, see default format, custom format, and available fields.
  • LogGroupName (depends on LogDestinationType): The name of the CloudWatch Logs log group where you want to publish the flow log data to.
    Note: Configure this parameter if the parameter LogDestinationType is set to cloud-watch-logs.
  • AutomationAssumeRole (optional): The ARN of the role that allows the Automation runbook to perform the actions on your behalf. If you don't specify a role, then Systems Manager Automation uses your current IAM user permissions to initiate the runbook.

View your Amazon VPC flow log

Follow these steps to view the logs:

  1. Open the Amazon VPC console.
  2. Choose Your VPCs in the left panel.
  3. Select your VPC ID from the list.
  4. Select the tab Flow logs to see the log details.

Related information

Run an automation

Setting up automation

Systems Manager Automation runbook reference