Support Center > Search Results > SecureKnowledge Details
Create an IAM Role for CloudGuard Dome9 VPC Flow Logs
Solution

Create an IAM Role for VPC Flow Logs

Create an IAM Role for VPC Flow Logs

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, Create role.

  3. Choose EC2 and then the EC2 use case. Choose Next: Permissions.

  4. On the Attach Policy page, choose Next: Review.

  5. Enter a name for your role; for example 'Flow-Logs-Role' and optionally provide a description. Choose Create role.

Add inline policy via JSON to to Permissions

  1. Select the name of your role. Under Permissions, choose Add inline policy.

  2. Choose the JSON tab.

  3. Copy the first policy and paste it in the window.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
    }  


    Choose Review policy.

  4. Enter a name for your policy, and then choose Create policy.

Edit Trust Relationship and Update Trust Policy

  1. Copy the second policy (the trust relationship), and then choose Trust relationships, Edit trust relationship. Delete the existing policy document, and paste in the new one.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "vpc-flow-logs.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    } 


    When done, click Update Trust Policy.

Capture/note ARN for newly created role

  1. On the Summary page, take note of the ARN for your role. You need this ARN when you create your flow log.

After you've created your IAM role, you can create a Destination Log group for your VPC Flow Logs. For additional information, please see Create a Destination Log Group for VPC Flow Logs in AWS.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment