Set Up AWS VPC Flow Logs

Security Manager supports Hit Counters via AWS VPC Flow Logs within a single AWS account. Cross AWS Account Hit Counters using AWS VPC Flow Logs will be supported feature in future release.

Step 1: Create an S3 Bucket

  1. Sign in to the AWS Management Console.

  2. In the AWS Management Console, type S3 in the search field and select S3 from the results.

  3. Click Create bucket.

  4. Configure Bucket Settings:

    1. Bucket Name: Enter a unique name for your bucket. The name must be globally unique across all existing bucket names in Amazon S3.

    2. Region: Select the AWS Region where you want to create the bucket. Choose a region close to you to minimize latency and costs.

  5. Set Bucket Options:

    1. Object Ownership: Choose whether to disable or enable ACLs (Access Control Lists). ACL disable is recommended.

    2. Block Public Access Settings: Configure the settings to block or allow public access to the bucket.

    3. Bucket Versioning: Enable or disable versioning for the bucket.

    4. Default Encryption: Choose whether to enable default encryption for objects stored in the bucket.

    5. Advanced Settings: Configure additional settings like tags, object lock, etc.

  6. Review the settings and click Create bucket.

  7. Verify the bucket. Once the bucket is created, you can see it listed in the S3 console. You can now upload objects to your bucket and configure additional settings as needed.

Step 2: Create a VPC Flow Log

  1. Sign in to the AWS Management console, and open the Amazon VPC console.

  2. In the navigation pane, click Your VPCs and select the VPC for which you want to create a flow log.

  3. Choose Actions > Create flow log.

  4. Configure Flow Log Settings:

    1. Filter: Choose the type of traffic to capture (All).

    2. Destination: Choose where to send the flow log data. You can send it to:

      • Amazon S3: Provide the ARN of your S3 bucket.

    3. Log record format: Select Custom format and enter the following script:

      ${version} ${account-id} ${vpc-id} ${subnet-id} ${interface-id} ${flow-direction} ${srcaddr} ${srcport} ${dstaddr} ${dstport} ${protocol} ${start} ${end} ${action} ${log-status}

    4. Log file format: Select Text (default).

  5. Set Permissions:

    • If you are sending logs to CloudWatch Logs or Kinesis Data Firehose, you need to specify an IAM role that has the necessary permissions to publish logs.

  6. Click Create flow log.

  7. Navigate to the destination you specified (S3) to verify that the flow logs are being delivered.

Permissions Needed

For SIP to read the flow logs within the storage account you will need the following permission:

  • AmazonS3ReadOnlyAccess

When using AWS Organization (management station) Its important to note that both the base account user and the assumed IAM role must have this permission added.

You can view the hit counts in Security Manager > Security Rules.

Learn more from AWS documentation:

Create a S3 bucket

Amazon S3 bucket permissions for flow logs

Create a flow log that publishes to Amazon S3

Logging IP traffic using VPC Flow Logs