Central cloudwatch logs group for vpc flowlogs from multiple accounts



I need to sent all the vpc flowlogs to a central cloudwatch group. now I can send it to cloudwatch of the local account's group. but I need to send it to a central cloudwatch log group.

can you please help?

已提问 2 年前893 查看次数
2 回答
  • Hi we have this architecture in place already and here the target is s3 bucket. but I need to send vpc logs to central cloudwatch log groups and not to s3 bucket. thanks. please advice.

  • I am not sure if this can be achieved in a straight-forward way as Jason has mentioned. The subscriptions are only possible to Kinesis Data Streams, Kinesis Data Firehose, Opensearch or Lambda. Typically when customers use centralized logging solutions, they use Opensearch or 3rd party solutions like Splunk and KDF can send logs to Splunk and some other tools, or use S3.


As you know VPC FlowLogs can publish to Amazon S3 or Amazon Cloudwatch.

Publishing flow-logs directly to a log group in another account is not possible, because the VPC Flow-log executes as a service role that you specify with a trust relationship to vpc-flow-logs.amazonaws.com. This service role must exist inside the account that the flow logs reside, it is not possible to assume a role in another account. This process is outlined here.

If you try you will receive the following error: An error occurred (InvalidParameter) when calling the CreateFlowLogs operation: LogDestination must belong to the same account as the API caller.

If VPC Flow-logs pushes logs to an S3 bucket in another account, the the bucket policy grants permission which means that the flow-log uses a service role in the source account, and the bucket policy allows the write from the service role in the source account.

However, if you must publish to a CloudWatch group in another account, you could publish to the CloudWatch group locally in the same account, and the use CloudWatch subscriptions to push the log to Amazon Kinesis streams, Amazon Kinesis Firehose, or to AWS Lambda, which can then publish to CloudWatch log groups in a different account.

Without understanding your use-case, I would suggest sharing the data centrally using Amazon S3 as you do today. When the log lands in the central S3 bucket you could use a Lambda trigger add it to CloudWatch if you must. Something to note, publishing to a CloudWatch log group costs $0.50 per GB in us-east-1, and storing it costs $0.03 per GB. Publishing to S3, will use Kinesis Firehose and Amazon S3: Kinesis Firehose will cost $0.029 per GB and then storage in Amazon S3 would be $0.023 per GB .

已回答 2 年前

您未登录。 登录 发布回答。