AWS VPC Flow Log Limitations

In this topic:

    To use flow logs, you need to be aware of the following limitations:

    • You cannot enable flow logs for network interfaces that are in the EC2-Classic platform. This includes EC2-Classic instances that have been linked to a VPC through ClassicLink.

    • You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.

    • You cannot tag a flow log.

    • After you've created a flow log, you cannot change its configuration; for example, you can't associate a different IAM role with the flow log. Instead, you can delete the flow log and create a new one with the required configuration.

    • None of the flow log API actions (ec2:*FlowLogs) support resource-level permissions. To create an IAM policy to control the use of the flow log API actions, you must grant users permissions to use all resources for the action by using the * wildcard for the resource element in your statement. For more information, see Controlling Access to Amazon VPC Resources.

    • If your network interface has multiple IPv4 addresses and traffic is sent to a secondary private IPv4 address, the flow log displays the primary private IPv4 address in the destination IP address field.

    Flow logs do not capture all IP traffic. The following types of traffic are not logged:

    • Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.

    • Traffic generated by a Windows instance for Amazon Windows license activation.

    • Traffic to and from 169.254.169.254 for instance metadata.

    • Traffic to and from 169.254.169.123 for the Amazon Time Sync Service.

    • DHCP traffic.

    • Traffic to the reserved IP address for the default VPC router. For more information, see VPC and Subnet Sizing.

    • Traffic between an endpoint network interface and a Network Load Balancer network interface. For more information, see VPC Endpoint Services (AWS PrivateLink).

    For more information please view AWS documentation here.