VPC Flow Logs is a feature in Amazon Web Services (AWS) that enables capturing information about IP traffic going to and from network interfaces in the Virtual Private Cloud (VPC). These logs provide detailed visibility into network traffic, helping to monitor, troubleshoot, and analyze traffic patterns, security issues, and performance within the VPC. The logs can be stored in Amazon CloudWatch Logs or Amazon S3 for further analysis. To enable VPC Flow Logs, an IAM role is required to publish the log data to Amazon CloudWatch Logs or Amazon S3. This role must have specific permissions, typically including logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents for CloudWatch Logs or appropriate S3 permissions if logs are stored in an S3 bucket.

I describe enabling flow logs for Amazon VPC using Terraform in this note. If you are interested, please refer to my GitHub repository: kunduso/terraform-aws-vpc.

Enabling flow logs for an Amazon VPC involves four steps: 1. Create an IAM role to publish flow logs to CloudWatch Logs 2. Create a KMS Key to encrypt the CloudWatch Log Group 3. Create an Amazon CloudWatch Logs group 4. Attach the CloudWatch Logs group to the VPC to capture flow logs

Let me now explain each step in detail.

Step 1: Create an IAM role to publish flow logs to CloudWatch Logs An IAM role has two policies: (i) the trust (also known as the assume) policy and (ii) the permission policy. The Trust Policy (also called an Assume Role Policy) is the policy attached to an IAM role to define the trusted entities that can assume the role. The below trust policy states that the service principal, vpc-flow-logs.amazonaws.com, can assume this role, which is the AWS service responsible for VPC Flow Logs. 105-image-1 Apart from the trust policy, an IAM role requires a permission policy. The below permission policy provides a list of capabilities that enable the IAM role to publish logs to AWS CloudWatch Logs. 105-image-2 For more information on this concept, please choose  -flow-logs-iam-role. Step 2: Create a KMS Key to encrypt the CloudWatch Log Group The AWS KMS Key encrypts the data stored in the AWS CloudWatch Logs. I provisioned a tighter KMS key policy specifically for this use case using the aws_kms_key_policy. Please note that adding the AWS KMS key, although optional, helps create a secure solution. 105-image-3 Step 3: Create an Amazon CloudWatch Logs group The logs group stores log data that captures detailed information about the IP traffic going to and from your VPC’s network interfaces. 105-image-4 Step 4: Attach the CloudWatch Log group to the VPC for flow logs The last step is to attach the Amazon CloudWatch Logs group to the VPC flow logs via the below Terraform code. 105-image-5 The resource properties include the VPC ID, the CloudWatch Logs group, and the IAM role to enable sending the logs. Once Terraform provisioned all the AWS cloud resources, I logged into my AWS account and navigated to VPC → selected the specific VPC → Flow Logs and examined the VPC Flow Logs property. 105-image-6 And that concludes this note. If you have any questions or suggestions, please do not hesitate to contact me via the comments below.