Task Statement 4.2: Validate and audit security by using network monitoring and logging services.
📘AWS Certified Advanced Networking – Specialty
1. What Are VPC Flow Logs?
VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC.
They help you:
- Monitor network activity
- Troubleshoot connectivity issues
- Detect suspicious traffic
- Audit security rules (Security Groups and NACLs)
Key Idea:
A flow log records metadata about traffic, not the actual packet content.
2. Where Can You Enable Flow Logs?
You can create flow logs at three levels:
1. VPC Level
- Captures traffic for all resources in the VPC
2. Subnet Level
- Captures traffic for resources in a specific subnet
3. Network Interface (ENI) Level
- Most granular
- Captures traffic for a specific EC2 instance or resource
3. Flow Log Destinations
Flow logs can be sent to:
1. Amazon CloudWatch Logs
- Real-time monitoring
- Used for alarms and dashboards
2. Amazon S3
- Long-term storage
- Cost-effective for large data
3. Amazon Kinesis Data Firehose
- Streaming to analytics tools
4. Traffic Types You Can Capture
When creating a flow log, you choose:
ACCEPT
- Only allowed traffic
REJECT
- Only denied traffic
ALL
- Both accepted and rejected traffic
5. Flow Log Record Structure
Each flow log entry contains fields (columns).
There are two types:
- Base (default) fields
- Extended (custom) fields
6. Base Fields (Default Fields)
These are always available in standard flow logs.
Important Base Fields (You MUST remember for exam):
| Field | Meaning |
|---|---|
| version | Flow log version |
| account-id | AWS account ID |
| interface-id | ENI ID |
| srcaddr | Source IP address |
| dstaddr | Destination IP address |
| srcport | Source port |
| dstport | Destination port |
| protocol | Protocol number (e.g., TCP = 6, UDP = 17) |
| packets | Number of packets |
| bytes | Number of bytes |
| start | Start time |
| end | End time |
| action | ACCEPT or REJECT |
| log-status | OK, NODATA, SKIPDATA |
7. Extended Fields (Custom Fields)
Extended fields provide more detailed information and must be explicitly enabled.
Common Extended Fields:
| Field | Description |
|---|---|
| vpc-id | VPC identifier |
| subnet-id | Subnet identifier |
| instance-id | EC2 instance ID |
| tcp-flags | TCP flags (SYN, ACK, etc.) |
| type | Traffic type (IPv4/IPv6) |
| pkt-srcaddr | Original source IP |
| pkt-dstaddr | Original destination IP |
| region | AWS Region |
| az-id | Availability Zone |
| flow-direction | ingress or egress |
| traffic-path | How traffic flows (internet gateway, NAT, etc.) |
8. Base vs Extended Fields (Exam Tip)
| Feature | Base Fields | Extended Fields |
|---|---|---|
| Default | Yes | No |
| Customizable | No | Yes |
| Detail Level | Basic | Advanced |
| Use Case | General monitoring | Deep analysis & security auditing |
9. How to Create VPC Flow Logs (Step-by-Step)
Step 1: Go to VPC Console
- Open AWS Console → VPC → Flow Logs
Step 2: Choose Resource
- Select VPC / Subnet / ENI
Step 3: Configure Settings
- Filter: ACCEPT / REJECT / ALL
- Destination: CloudWatch / S3 / Kinesis
- IAM Role: Required for permissions
Step 4: Choose Format
- Default format OR
- Custom format (to include extended fields)
Step 5: Create Log
10. Example Flow Log Record (Simplified)
2 123456789 eni-abc123 10.0.1.10 10.0.2.20 443 51515 6 10 840 1609459200 1609459260 ACCEPT OK
How to Read It:
- Source IP → 10.0.1.10
- Destination IP → 10.0.2.20
- Port → HTTPS (443)
- Protocol → TCP (6)
- Action → ACCEPT
11. How to Analyze Flow Logs
This is very important for the exam.
1. Identify Allowed vs Denied Traffic
- Use the action field
- ACCEPT → Allowed by security rules
- REJECT → Blocked by NACLs or SGs
2. Troubleshoot Connectivity Issues
Scenario:
An application cannot connect to a database.
What to check:
- Look for REJECT entries
- Check:
- Destination port
- Source IP
- Security group rules
3. Detect Suspicious Activity
Look for:
- Unusual IP addresses
- High number of requests
- Unknown ports
- Repeated rejected traffic
4. Traffic Pattern Analysis
- High bytes → heavy data transfer
- Many packets → frequent communication
- Time range → peak usage periods
5. Identify Network Path Issues
Using extended fields like:
- traffic-path
- flow-direction
You can determine:
- Whether traffic goes through NAT Gateway
- Internet Gateway
- VPC Peering
12. Important Limitations (Exam Focus)
You MUST remember these:
- No packet payload (only metadata)
- Not real-time (delay of a few minutes)
- Cannot capture DNS queries directly
- Cannot capture traffic to:
- Amazon DNS
- DHCP
- Metadata service (169.254.169.254)
13. Flow Logs and Security Services
Flow logs are commonly used with:
Amazon CloudWatch
- Metrics and alarms
AWS CloudTrail
- API-level auditing (not traffic)
AWS Security Groups & NACLs
- Validate rule effectiveness
14. Best Practices (Exam-Oriented)
1. Enable Flow Logs at Appropriate Level
- Use ENI level for critical systems
2. Use Custom Format
- Include extended fields for deeper insights
3. Store Logs in S3
- For long-term analysis
4. Use CloudWatch Insights
- Query logs efficiently
5. Monitor REJECT Traffic
- Helps detect misconfigurations or attacks
15. Key Exam Tips (VERY IMPORTANT)
- Flow logs capture metadata, not payload
- REJECT traffic = NACL only (Security Groups do not log rejects explicitly)
- Extended fields must be manually enabled
- Logs can go to CloudWatch, S3, or Kinesis
- Use flow logs for:
- Troubleshooting
- Security auditing
- Traffic analysis
Final Summary
VPC Flow Logs are a critical AWS tool used to:
- Monitor network traffic
- Audit security rules
- Detect issues and threats
To pass the exam, you must:
- Understand how to create flow logs
- Know base vs extended fields
- Be able to analyze traffic patterns and issues
