twtech Overview of AWS VPC
Flow Logs CloudWatch permissions,
Scope:
- How VPC Flow
Logs CloudWatch permissions work,
- Required IAM roles,
- Policies,
- Security
considerations,
- Best
practices.
Breakdown:
- Overview of VPC Flow Logs,
- How the Permission Flow Works,
- IAM Role Breakdown,
- Security Considerations,
- CloudWatch Log Group Resource Policy (Cross-Account),
- Flow Log Delivery Process (CloudWatch Path)
- Common Errors and Fixes,
- Advanced Tips,
- Summary Table,
Overview of
VPC Flow Logs
- VPC Flow Logs capture IP
traffic information going to and from network interfaces in twtech VPC.
- Amazon CloudWatch Logs, or
- Amazon S3
NB:
When twtech chooses CloudWatch Logs,
AWS automatically uses an IAM role to push flow log data from twtech VPC to the
target CloudWatch Log Group.
How the
Permission Flow Works
1. VPC Flow Logs service acts as the publisher of the logs.
2. It
requires permission to write to a specific CloudWatch
Log Group.
3. twtech
(the account owner) provides this
via an IAM role with a trust
policy allowing the vpc-flow-logs.amazonaws.com service to assume it.
IAM Role
Breakdown
1. Trust Policy
- Defines who can assume the role — in this case, the VPC Flow Logs service:
# json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}✅ Key
Point:
- This allows AWS
VPC Flow Logs to assume the role temporarily via STS (Secure Token Service).
2. Permissions Policy
- Grants the flow log role permission to publish logs into CloudWatch Logs:
# json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" } ]}✅ Best
Practice:
- Restrict the
Resourceto the specific Log Group ARN, e.g.:
"Resource": "arn:aws:logs:us-east-2:accountID:log-group:/aws/vpc/flow-logs:*" Security
Considerations
|
Concern |
Recommendation |
|
Excessive permissions |
Scope the |
|
Cross-account
publishing |
Add a resource-based policy on the Log Group to allow
another account’s Flow Logs role. |
|
Least privilege
principle |
Don’t grant |
|
Multi-region setups |
Create region-specific roles and log groups; CloudWatch
Logs are regional. |
CloudWatch
Log Group Resource Policy (Cross-Account)
NB:
- If Flow Logs are being delivered from a different AWS account, the destination account Should attach a resource policy to the Log Group, like this:
# json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:us-east-2:accountID:log-group:/aws/vpc/flow-logs:*" } ]} Flow Log
Delivery Process (CloudWatch Path)
Architecture Flow:
Common
Errors and Fixes
|
Error Message |
Cause |
Fix |
|
|
IAM role missing permission |
Add |
|
|
Role not in same account |
Verify role ARN and
trust policy |
|
|
Log group deleted or wrong region |
Recreate or update
destination ARN |
|
Flow logs not delivered |
CloudWatch Logs throttling or missing role |
Check CloudWatch
Logs limits & IAM trust |
Advanced
Tips
- Centralized Logging: Aggregate Flow Logs from multiple accounts using
CloudWatch Logs subscription filters → Kinesis Firehose → S3 / SIEM.
- Cost Control: Use retention policies and log filters to manage CloudWatch costs.
- Analysis: Use CloudWatch Logs Insights queries like:
fields @timestamp, srcAddr, dstAddr, action| filter action = 'REJECT'| sort @timestamp desc- Automation: Use CloudFormation or Terraform to standardize roles and log group setup
across accounts.
Summary Table
|
Component |
Purpose |
Example |
|
VPC Flow Logs service |
Generates flow log data. |
|
|
IAM Role (trust policy) |
Allows service to assume role. |
|
|
IAM Policy (permissions) |
Grants CloudWatch write access. |
|
|
CloudWatch Log Group |
Destination for log entries. |
|
|
Resource Policy (optional) |
For cross-account writes. |
Allow service
principal |
No comments:
Post a Comment