IAM role for publishing flow logs to CloudWatch Logs
The IAM role that's associated with your flow log must have sufficient permissions to publish flow logs to the specified log group in CloudWatch Logs. The IAM role must belong to your AWS account.
The IAM policy that's attached to your IAM role must include at least the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": "*" } ] }
Ensure that your role has the following trust policy, which allows the flow logs service to assume the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
We recommend that you use the aws:SourceAccount
and
aws:SourceArn
condition keys to protect yourself against the confused deputy problem.
For example, you could add the following condition block to the previous trust
policy. The source account is the owner of the flow log and the source ARN
is the flow log ARN. If you don't know the flow log ID, you can replace that
portion of the ARN with a wildcard (*) and then update the policy after you
create the flow log.
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account_id
"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ec2:region
:account_id
:vpc-flow-log/flow-log-id
"
}
}
Create an IAM role for flow logs
You can update an existing role as described above. Alternatively, you can use the following procedure to create a new role for use with flow logs. You'll specify this role when you create the flow log.
To create an IAM role for flow logs
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
On the Create policy page, do the following:
-
Choose JSON.
-
Replace the contents of this window with the permissions policy at the start of this section.
-
Choose Next.
-
Enter a name for your policy and an optional description and tags, and then choose Create policy.
-
-
In the navigation pane, choose Roles.
-
Choose Create role.
-
For Trusted entity type, choose Custom trust policy. For Custom trust policy, replace
"Principal": {},
with the following, then and choose Next."Principal": { "Service": "vpc-flow-logs.amazonaws.com" },
-
On the Add permissions page, select the checkbox for the policy that you created earlier in this procedure, and then choose Next.
-
Enter a name for your role and optionally provide a description.
-
Choose Create role.