Skip to content
Alchemy
GitHubXDiscord

FlowLog

The FlowLog resource allows you to manage AWS EC2 FlowLogs which capture information about the IP traffic going to and from network interfaces in your VPC.

Minimal Example

Section titled “Minimal Example”

Create a basic FlowLog to capture all traffic from a specified VPC with default settings.

import AWS from "alchemy/aws/control";


const vpcFlowLog = await AWS.EC2.FlowLog("vpcFlowLog", {
  ResourceId: "vpc-12345678",
  ResourceType: "VPC",
  TrafficType: "ALL",
  LogDestination: "cloud-watch-logs",
  LogGroupName: "vpc-flow-logs",
  Tags: [
    {
      Key: "Environment",
      Value: "Production"
    }
  ]
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a FlowLog with advanced options, including a custom log format and aggregation interval settings.

const advancedFlowLog = await AWS.EC2.FlowLog("advancedFlowLog", {
  ResourceId: "vpc-87654321",
  ResourceType: "VPC",
  TrafficType: "ACCEPT",
  LogDestination: "s3",
  LogDestinationType: "S3",
  LogGroupName: "advanced-vpc-flow-logs",
  LogFormat: "${version} ${timestamp} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes}",
  MaxAggregationInterval: 60,
  DeliverCrossAccountRole: "arn:aws:iam::123456789012:role/FlowLogsRole",
  Tags: [
    {
      Key: "Project",
      Value: "NetworkMonitoring"
    }
  ]
});

Capture Specific Traffic Types

Section titled “Capture Specific Traffic Types”

Set up a FlowLog to capture only accepted and rejected traffic for a specific network interface.

const interfaceFlowLog = await AWS.EC2.FlowLog("interfaceFlowLog", {
  ResourceId: "eni-12345678",
  ResourceType: "NetworkInterface",
  TrafficType: "REJECT",
  LogDestination: "cloud-watch-logs",
  LogGroupName: "interface-flow-logs",
  Tags: [
    {
      Key: "Type",
      Value: "Monitoring"
    }
  ]
});

Cross-Account Flow Logs

Section titled “Cross-Account Flow Logs”

Establish a FlowLog that delivers logs to a different account’s S3 bucket.

const crossAccountFlowLog = await AWS.EC2.FlowLog("crossAccountFlowLog", {
  ResourceId: "vpc-11223344",
  ResourceType: "VPC",
  TrafficType: "ALL",
  LogDestination: "s3",
  LogDestinationType: "S3",
  LogGroupName: "cross-account-vpc-flow-logs",
  DeliverCrossAccountRole: "arn:aws:iam::123456789012:role/CrossAccountFlowLogsRole",
  Tags: [
    {
      Key: "Compliance",
      Value: "Audit"
    }
  ]
});