Browse the Repo
Browse the Repo
Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.
This Terraform Module creates a VPC flow log. The flow log will capture IP traffic information for a given VPC, subnet, or Elastic Network Interface (ENI). Flow logs can be configured to capture all traffic, only traffic that is accepted, or only traffic that is rejected. The logs can be published to Amazon CloudWatch Logs or an S3 bucket.
Check out the vpc-flow-logs examples.
See vars.tf for all the available configuration options.
VPC Flow Logs are a feature to help you understand, debug, and evaluate the network traffic in your VPCs. Flow logs will capture information such as the client IP address and port, the protocol, whether traffic was accepted or rejected (e.g. due to a security group rule forbidding such traffic), and other metadata about the request and response.
For example, consider the following flow log record:
2 318677964956 eni-0a4c0daa903d85a52 184.108.40.206 10.0.3.254 55428 139 6 1 44 1565031303 1565031350 REJECT OK
This shows a single rejected packet of 44 bytes from
10.0.3.254 (an internal VPC address) port
139 (Windows SMB protocol) on interface
eni-0a4c0daa903d85a52. The packet was sent between
Monday, August 5, 2019 6:55:03 PM and
Monday, August 5, 2019 6:55:50 PM. For a complete description of the fields, refer to the Flow Log Records documentation.
This particular flow log record was recorded from a newly created EC2 instance running Linux, and yet the packet is destined for port 139 using the Server Message Block (SMB) protocol, an antiquated file sharing protocol for Windows. Why would this occur? Because publicly routable IP addresses are continuously barraged by probes from malicious hosts seeking vulnerable systems to compromise. This is one reason why it is crucial to have a battle-tested, production-grade network architecture that limits attack surface and enforces segmentation.
VPC Flow Logs do not capture packet payloads. You can use VPC Traffic Mirroring if you wish to capture payloads. Furthermore, flow logs do not capture all IP traffic. For a list of flow log limitations, consult the AWS documentation.
Flow Logs can help to define least privilege permissions for security group rules. They can also help to identify malicious network activity to prevent or respond to an attack. Flow logs are required by some information security standards, such as the CIS AWS Foundations Benchmark.
The easiest way to use Flow Logs is to configure the CloudWatch Logs destination and use the web console. The available fields in a flow log record tell you information about IP traffic such as source and destination address and port, protocol, bytes and packets sent, whether the traffic was accepted or rejected, and more.
If you use an S3 destination, flow log files are delivered in to the s3 bucket 5 minute intervals.
The difference has to do with how many resources are sending flow logs.
eni_id, it will include the data for a single elastic network interface only
subnet_id, it will include the data for any network interface created within the given subnet
vpc_id, it will include the data for any network interface created within the given VPC
Flow logs can be encrypted using the AWS Key Management Service (KMS). You can provide the ARN of an KMS key, or the module will create one if an ARN is not provided. If you choose to supply an existing key, you must ensure that the appropriate key policy is configured. Refer to the documentation for flow logs published to CloudWatch Logs and to S3 respectively as they differ slightly. See also the comments in the
TODO: Publish flow logs to an S3 bucket or CloudWatch Logs group in another account
We're here to talk about our services, answer any questions, give advice, or just to chat.