Support Center > Search Results > SecureKnowledge Details
How to create an IAM Role for CloudGuard VPC Flow Logs Technical Level
  1. Open the IAM console at

  2. In the navigation pane, select Roles, Create role.

  3. Choose EC2 and then the EC2 use case. Select Next: Permissions.

  4. On the Attach Policy page, select Next: Review.

  5. Enter a name for your role; for example 'Flow-Logs-Role' and optionally provide a description. Choose Create role.

Add Inline Policy via JSON to Permissions

  1. Select the name of your role. Under Permissions, choose Add inline policy.

  2. Choose the JSON tab.

  3. Copy the first policy and paste it in the window.

      "Version": "2012-10-17",
      "Statement": [
          "Action": [
          "Effect": "Allow",
          "Resource": "*"

    Choose Review policy.

  4. Enter a name for your policy, and then choose Create policy.

Edit Trust Relationship and Update Trust Policy

  1. Copy the second policy (the trust relationship), and then choose Trust relationships, Edit trust relationship. Delete the existing policy document, and paste in the new one.

      "Version": "2012-10-17",
      "Statement": [
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": ""
          "Action": "sts:AssumeRole"

    When done, click Update Trust Policy.

Capture/Note ARN for Newly Created Role

  1. On the Summary page, take note of the ARN for your role. You need this ARN when you create your flow log.

After you've created your IAM role, you can create a Destination Log group for your VPC Flow Logs. For additional information, see Create a Destination Log Group for VPC Flow Logs in AWS.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document