Create an IAM Role for VPC Flow Logs
Create an IAM Role for VPC Flow Logs
-
Open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Roles, Create role.
-
Choose EC2 and then the EC2 use case. Choose Next: Permissions.
-
On the Attach Policy page, choose Next: Review.
-
Enter a name for your role; for example 'Flow-Logs-Role' and optionally provide a description. Choose Create role.
Add inline policy via JSON to to Permissions
-
Select the name of your role. Under Permissions, choose Add inline policy.
-
Choose the JSON tab.
-
Copy the first policy and paste it in the window.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Choose Review policy.
-
Enter a name for your policy, and then choose Create policy.
Edit Trust Relationship and Update Trust Policy
-
Copy the second policy (the trust relationship), and then choose Trust relationships, Edit trust relationship. Delete the existing policy document, and paste in the new one.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
When done, click Update Trust Policy.
Capture/note ARN for newly created role
-
On the Summary page, take note of the ARN for your role. You need this ARN when you create your flow log.
After you've created your IAM role, you can create a Destination Log group for your VPC Flow Logs. For additional information, please see Create a Destination Log Group for VPC Flow Logs in AWS.
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
