Create an IAM Role for VPC Flow Logs

In this topic:

    Create an IAM role for flow logs

    1. Open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, choose Roles, Create role.

    3. Choose EC2 and then the EC2 use case. Choose Next: Permissions.
      Screen_Shot_2018-05-05_at_1.41.57_PM.png
      Screen_Shot_2018-05-05_at_1.42.01_PM.png

    4. On the Attach Policy page, choose Next: Review.
      Screen_Shot_2018-05-05_at_1.41.46_PM.png

    5. Enter a name for your role; for example 'Flow-Logs-Role' and optionally provide a description. Choose Create role.
      Screen_Shot_2018-05-05_at_1.41.40_PM.png

    Add inline policy via JSON to to Permissions

    1. Select the name of your role. Under Permissions, choose Add inline policy.
      Screen_Shot_2018-05-05_at_1.44.16_PM.png

    2. Choose the JSON tab.

    3. Copy the first policy and paste it in the window.

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": [
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents",
              "logs:DescribeLogGroups",
              "logs:DescribeLogStreams"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ]
      }  


      Choose Review policy.

    4. Enter a name for your policy, and then choose Create policy.
      Screen_Shot_2018-05-05_at_1.46.10_PM.png

    Edit Trust Relationship and Update Trust Policy

    1. Copy the second policy (the trust relationship), and then choose Trust relationships, Edit trust relationship. Delete the existing policy document, and paste in the new one.

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
              "Service": "vpc-flow-logs.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      } 


      When done, click Update Trust Policy.

    Capture/note ARN for newly created role

    1. On the Summary page, take note of the ARN for your role. You need this ARN when you create your flow log.

    After you've created your IAM role, you can create a Destination Log group for your VPC Flow Logs. For additional information, please see Create a Destination Log Group for VPC Flow Logs in AWS.