VPC Flow Logs

  • VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

  • Flow log data can be published to CloudWatch Logs or S3.

  • Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency.

  • You can create a flow log for a VPC, a subnet, or a network interface.

  • If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.

Default format

  • By default, the log line format for a flow log record is a space-separated string that has the following set of fields in the following order:

    • <version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>

Examples

  • In this example, SSH traffic (destination port 22, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was allowed:

    • 2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

  • In this example, RDP traffic (destination port 3389, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was rejected:

    • 2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

PreviousS3 Event NotificationsNextCentralized Logging Architecture

Last updated

Was this helpful?