You can update an existing role or use the following procedure to create a new role for use with flow logs using the AWS Identity and Access Management console.
To create an IAM role for flow logs
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles, Create role.
-
For Select type of trusted entity, choose AWS service. For Use case, choose EC2. Choose Next.
-
On the Add permissions page, choose Next: Tags and optionally add tags. Choose Next.
-
On the Name, revew, and create page enter a name for your role and optionally provide a Description. Choose Create role.
-
Choose the name of your role. For Add permissions, choose Create inline policy, and then choose the JSON tab.
-
Copy the first policy from IAM roles for publishing flow logs to CloudWatch Logs and paste it in the window. Choose Review policy.
-
Enter a name for your policy, and choose Create policy.
-
Select the name of your role. For Trust relationships, choose Edit trust relationship. In the existing policy document, change the service from
ec2.amazonaws.com.rproxy.goskope.comtovpc-flow-logs.amazonaws.com. Choose Update Trust Policy. -
On the Summary page, note the ARN for your role. You need this ARN when you create your flow log.
