How to publish VPC Flow logs to a different account
source link: https://dev.to/kasukur/how-to-publish-vpc-flow-logs-to-a-different-account-1ead
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Posted on Feb 2
How to publish VPC Flow logs to a different account
A few AWS users have raised a question on repost.aws on the following:
This post is to help other users who are facing the same issue.
- The first step: create a bucket with a unique name.
As per AWS's documentation IAM policy for IAM principals that publish flow logs to Amazon S3
We will be using the following substitutions in the following bucket policies:
Parameter Example
[BucketName]
flowlogstestrandomnumber
[Region] ap-southeast-2
[AccountB] 123456789101
- Policy from the documentation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[BucketName]",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": ["s3:GetBucketAcl", "s3:ListBucket"],
"Resource": "arn:aws:s3:::[BucketName]",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
}
]
}
Enter fullscreen mode
Exit fullscreen mode
- When we add a bucket policy to send VPC flow logs from AccountA to a S3 bucket in AccountB (different account), we notice the following error:
- The error is caused due to:
"Resource": "arn:aws:s3:::[BucketName]",
Enter fullscreen mode
Exit fullscreen mode
- We need to update the bucket policy to allow access to the bucket and the objects within the bucket by updating it as follows:
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
Enter fullscreen mode
Exit fullscreen mode
- The final policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "[AccountB]"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*"
}
}
}
]
}
Enter fullscreen mode
Exit fullscreen mode
- Create a flow log for a subnet in a VPC and take note of the subnet zone as we are going to launch an EC2 instance in the same subnet to create some traffic.
Note: For a quicker demonstration, let's choose 1 min interval (default is 10 mins)
The flow Log is created:
Launch an EC2 instance in the same subnet as the flow log.
After a few minutes, the flow logs are stored in AccountA's S3 bucket and they are prefixed with AccountB's account number.
-
Clean Up
- Terminate EC2 instance
- Delete the flow log from the subnet
- Empty the bucket
- Delete the bucket
-
Summary
- Remember to add both the bucket and the objects within the bucket as resources within the policy.
"Resource": [
"arn:aws:s3:::[BucketName]",
"arn:aws:s3:::[BucketName]/*"
],
Enter fullscreen mode
Exit fullscreen mode
References
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK