AWS VPC Flow Logs - centralized

Question

Hi team.

I have some questions abot vpc flow logs.
1. I have Control Tower, and a Log Archive account with 02 buckets:
aws-controltower-logs-
aws-controltower-s3-access-logs-
By default when Account Factory crea a VPC, it creates a vpc flow logs with Cloudwatch Logs in every account. So I understand this is not sent to Log Archive account, is it rigth?

2.-The recommended method for vpc flow logs is using Cloudwatch logs or sent to S3 bucket?, If s3 bucket is recommended, could I use the buckets the Control Tower created in Log Archive account during setup, o should I use another new bucket in Log Archive account. Or how I could centralize my vpc flow logs or other logs fron any application?

Thank you.

Riku_Kobayashi · Answer

Hello.

"aws-controltower-logs- aws-controltower-s3-access-logs-" is a bucket for saving S3 access logs of the bucket where CloudTrail and Config logs are aggregated, so VPC flow logs cannot be saved.  
In order to centrally manage VPC flow logs, application logs, etc., you will need to configure cross-account output settings separately.  
https://docs.aws.amazon.com/controltower/latest/userguide/accounts.html  
> This account contains a central Amazon S3 bucket for storing a copy of all AWS CloudTrail and AWS Config log files for all other accounts in your landing zone. As a best practice, we recommend restricting log archive account access to teams responsible for compliance and investigations, and their related security or audit tools. This account can be used for automated security audits, or to host custom AWS Config Rules, such as Lambda functions, to perform remediation actions.

To output logs output to CloudWatch Logs to S3 in a separate account, the settings in the following document may be helpful.  
https://repost.aws/knowledge-center/kinesis-firehose-cloudwatch-logs

AWS VPC Flow Logs - centralized

Relevant content