Amazon VPC Flow Logs¶
What Are VPC Flow Logs?¶
Amazon VPC Flow Logs capture metadata about IP network traffic flowing through AWS network interfaces.
They provide visibility into:
- accepted traffic
- rejected traffic
- source and destination communication
- network-level activity across AWS networking environments
Flow Logs help organizations monitor, troubleshoot, audit, and investigate network behavior.
Think of VPC Flow Logs as:
Network traffic telemetry for AWS VPC environments.
Why It Matters for Security¶
VPC Flow Logs are foundational for:
- network visibility
- threat detection
- forensic investigations
- anomaly detection
- incident response
- segmentation validation
- compliance monitoring
Security teams use VPC Flow Logs to:
- investigate compromised workloads
- identify suspicious communication
- monitor rejected traffic
- detect lateral movement
- validate security controls
- support SOC operations
It is heavily used in:
- threat hunting
- zero trust architectures
- centralized logging
- regulated environments
- hybrid architectures
- enterprise security operations
Core Concepts¶
- captures network traffic metadata
- does not capture packet payload
- flow-based network telemetry
- supports ACCEPT / REJECT / ALL
- operates at ENI level
- supports centralized logging
- supports near real-time visibility
- useful for investigations and analytics
Important Integrations¶
Amazon VPC¶
Flow Logs can be enabled at:
- VPC level
- subnet level
- Elastic Network Interface (ENI) level
Elastic Network Interface (ENI)¶
Flow Logs ultimately record network telemetry from ENIs.
Examples:
- EC2
- Lambda ENIs
- NAT Gateway
- ECS tasks
- EKS worker nodes
Very important architecture concept.
Amazon CloudWatch Logs¶
Supports:
- operational monitoring
- alerting
- metric filters
- centralized ingestion
Common for near real-time monitoring.
Amazon S3¶
Common destination for:
- long-term retention
- forensic storage
- analytics
- compliance archives
Very common enterprise architecture pattern.
Amazon Athena¶
Commonly used for:
- SQL analysis
- threat hunting
- investigations
- traffic reporting
Typical pattern:
Flow Logs
→ S3
→ Athena
Amazon OpenSearch Service¶
Used for:
- dashboards
- network analytics
- anomaly visibility
- investigation workflows
Amazon GuardDuty¶
GuardDuty heavily relies on VPC Flow Logs.
Examples:
- reconnaissance
- crypto mining
- suspicious communication
- command-and-control detection
Very important service integration.
AWS Security Hub¶
Can aggregate findings originating from Flow Log analytics.
AWS Transit Gateway¶
Flow Logs support visibility into:
- centralized routing
- hybrid traffic
- multi-VPC communication
AWS Network Firewall¶
Often analyzed together with Flow Logs for:
- validation
- investigations
- traffic analysis
Security Features¶
Network Traffic Visibility¶
Flow Logs provide visibility into:
- source IP
- destination IP
- source port
- destination port
- protocol
- packets
- bytes
- action
Very important investigation capability.
Traffic Types¶
Supports:
ACCEPT¶
Records allowed traffic.
Useful for:
- analytics
- investigations
- communication visibility
REJECT¶
Records denied traffic.
Useful for:
- attack detection
- segmentation validation
- suspicious activity analysis
ALL¶
Captures:
- ACCEPT
- REJECT
Most common security-focused configuration.
Threat Hunting¶
Security teams use Flow Logs to investigate:
- beaconing
- lateral movement
- unexpected communication
- unusual east-west traffic
Forensic Investigations¶
Flow Logs support:
- incident response
- compromised workload analysis
- exfiltration investigations
- communication tracing
Traffic Segmentation Validation¶
Flow Logs help validate:
- Security Groups
- NACLs
- subnet isolation
- zero trust architectures
Centralized Analytics¶
Organizations commonly centralize logs into:
- S3
- OpenSearch
- SIEM
- security accounts
Compliance Monitoring¶
Supports:
- audit investigations
- monitoring requirements
- evidence retention
Examples:
- PCI DSS
- HIPAA
- financial services
Encryption Support¶
Destinations support:
- AWS KMS
- encrypted CloudWatch Logs
- encrypted S3
Very important compliance capability.
What VPC Flow Logs DO NOT Capture¶
Flow Logs capture:
- network metadata
They do NOT capture:
- packet payloads
- application contents
- deep packet inspection
Very important distinction.
Advanced Security and Operational Concepts¶
Traffic That Is NOT Logged (Classic Trap)¶
Certain traffic types are excluded.
Examples:
| Traffic Type | Example |
|---|---|
| Amazon DNS | 169.254.169.253 |
| Instance Metadata | 169.254.169.254 |
| DHCP | automatic configuration |
| Windows License Activation | AWS-managed activation |
If traffic appears missing:
check exclusions before troubleshooting.
Aggregation Interval (1 Minute vs 10 Minutes)¶
Flow Logs aggregate records before publishing.
Default:
- 10 minutes
Optional:
- 1 minute
| 10 Minute | 1 Minute |
|---|---|
| lower cost | faster visibility |
| lower volume | more granular |
| slower detection | faster investigations |
Use 1 minute when:
- SOC monitoring
- incident response
- rapid detection
Use 10 minutes when:
- cost optimization
- baseline visibility
Default vs Custom Formats¶
Default Format¶
Captures:
- source IP
- destination IP
- ports
- protocol
- bytes
- action
Custom Format¶
Additional fields:
pkt-srcaddrpkt-dstaddrtcp-flagsflow-directiontraffic-path
Useful for:
- NAT analysis
- Transit Gateway investigations
- advanced forensics
Flow Logs Are Immutable¶
After creation you cannot modify:
- aggregation interval
- destination
- log format
- IAM role
To modify:
Delete Flow Log
↓
Recreate Flow Log
Very important operational limitation.¶
Architecture Example¶
Centralized Security Analytics Architecture¶
flowchart TD
INTERNET[Internet]
ATTACKER[Threat Actor]
subgraph AWS [AWS Cloud]
subgraph PROD [Production VPC]
WEB[Web EC2]
APP[Application EC2]
DB[Amazon RDS]
SG[Security Groups]
NACL[Network ACL]
FLOW[VPC Flow Logs]
end
CW[CloudWatch Logs]
S3[Central Security S3]
ATHENA[Amazon Athena]
OS[Amazon OpenSearch Service]
GD[Amazon GuardDuty]
SH[Security Hub]
SOC[SOC Analysts]
end
INTERNET --> WEB
ATTACKER -. Suspicious Traffic .-> WEB
WEB --> APP
APP --> DB
SG --> FLOW
NACL --> FLOW
WEB -. Metadata .-> FLOW
APP -. Metadata .-> FLOW
DB -. Metadata .-> FLOW
FLOW --> CW
FLOW --> S3
S3 --> ATHENA
S3 --> OS
FLOW --> GD
GD --> SH
ATHENA --> SOC
OS --> SOC
SH --> SOC
classDef compute fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
classDef analytics fill:#fff3e0,stroke:#ef6c00,color:#e65100;
classDef storage fill:#f3e5f5,stroke:#6a1b9a,color:#4a148c;
class WEB,APP,DB compute;
class FLOW,GD,SH,SG,NACL security;
class ATHENA,OS,SOC analytics;
class CW,S3 storage;Use case: centralized network visibility, security analytics, threat detection, and forensic investigation.
Enterprise Detection Pipeline¶
Typical security architecture:
Traffic
↓
VPC Flow Logs
↓
S3 / CloudWatch
↓
Athena / OpenSearch
↓
GuardDuty
↓
Security Hub
↓
SOC Investigation
Common enterprise pattern.
Threat Investigation Workflow¶
sequenceDiagram
autonumber
participant ATTACKER as Threat Actor
participant EC2 as EC2 Workload
participant FLOW as VPC Flow Logs
participant GD as GuardDuty
participant SH as Security Hub
participant SOC as Analyst
ATTACKER->>EC2: Suspicious connection
EC2->>FLOW: Generate traffic metadata
FLOW->>GD: Detection telemetry
GD->>SH: Security finding
SH->>SOC: Alert investigation
SOC->>FLOW: Query communication patterns
SOC->>EC2: Isolate compromised workloadUse case: investigate suspicious network activity using Flow Logs and GuardDuty findings.
Hybrid Visibility Workflow¶
sequenceDiagram
autonumber
participant ONPREM as On-Premises
participant TGW as Transit Gateway
participant VPC as Production VPC
participant FLOW as VPC Flow Logs
participant S3 as Security Archive
participant ATHENA as Athena
ONPREM->>TGW: Hybrid request
TGW->>VPC: Forward traffic
VPC->>FLOW: Generate telemetry
FLOW->>S3: Store logs
ATHENA->>S3: Query investigation dataUse case: analyze hybrid traffic patterns across centralized networking.
VPC Flow Logs vs CloudTrail¶
| VPC Flow Logs | AWS CloudTrail |
|---|---|
| network traffic metadata | AWS API activity |
| data plane visibility | control plane visibility |
| communication analysis | identity analysis |
| traffic investigations | audit investigations |
| IP behavior | API behavior |
Use Flow Logs when:
- analyzing communication
- investigating rejected traffic
- detecting lateral movement
Use CloudTrail when:
- auditing AWS actions
- identifying users
- tracking account activity
VPC Flow Logs vs Traffic Mirroring¶
| VPC Flow Logs | VPC Traffic Mirroring |
|---|---|
| metadata only | packet copy |
| lightweight | deep packet inspection |
| scalable visibility | IDS workflows |
| lower operational overhead | advanced packet analysis |
Use Flow Logs when:
- metadata is sufficient
- broad monitoring is required
Use Traffic Mirroring when:
- payload visibility is required
- IDS appliances are deployed
VPC Flow Logs vs GuardDuty¶
| VPC Flow Logs | Amazon GuardDuty |
|---|---|
| telemetry source | managed detection |
| visibility | findings |
| investigation input | automated analysis |
| logging | threat identification |
Relationship:
VPC Flow Logs
↓
GuardDuty
↓
Security Hub
GuardDuty consumes Flow Log telemetry.
Very important distinction.
VPC Flow Logs vs AWS Network Firewall¶
| VPC Flow Logs | AWS Network Firewall |
|---|---|
| observe traffic | inspect and enforce |
| metadata collection | packet filtering |
| retrospective analysis | active protection |
| visibility | prevention |
Use Flow Logs when:
- observing behavior
Use Network Firewall when:
- enforcing policies
VPC Flow Logs vs Security Groups¶
| VPC Flow Logs | Security Groups |
|---|---|
| observes | enforces |
| monitoring | filtering |
| telemetry | access control |
Relationship:
Security Groups determine:
- allow / deny
Flow Logs record:
- what occurred
Very important architecture distinction.¶
Common Exam Traps¶
Trap 1 — Assuming Flow Logs Capture Packet Payloads¶
VPC Flow Logs capture:
- network metadata
They do NOT capture:
- packet contents
- application payload
- full packet inspection
Need packet inspection?
→ VPC Traffic Mirroring
Very important distinction.
Trap 2 — Confusing CloudTrail and Flow Logs¶
CloudTrail records:
- API activity
- identity actions
- account events
Flow Logs record:
- network communication
- source/destination behavior
- traffic telemetry
Quick rule:
Who performed action?
→ CloudTrail
How did traffic move?
→ Flow Logs
Trap 3 — Forgetting REJECT Traffic Analysis¶
Rejected traffic often reveals:
- denied access attempts
- reconnaissance
- attack patterns
- segmentation failures
Security investigations frequently analyze:
REJECT
+
source
+
destination
+
port
Trap 4 — Assuming Flow Logs Perform Inspection¶
Flow Logs provide:
- observability
They do NOT provide:
- packet filtering
- packet inspection
- intrusion prevention
Those belong to:
- Network Firewall
- Traffic Mirroring
- IDS/IPS tooling
Trap 5 — Forgetting GuardDuty Dependency¶
GuardDuty heavily uses:
- VPC Flow Logs
Relationship:
Flow Logs
↓
GuardDuty
↓
Security Hub
Trap 6 — Assuming Only EC2 Traffic Is Captured¶
Flow Logs operate at:
- ENI level
Examples:
- EC2
- Lambda
- NAT Gateway
- ECS
- EKS
Very important architecture distinction.
Trap 7 — Confusing Observation and Enforcement¶
Security Groups:
- enforce
Flow Logs:
- observe
One controls.
One records.
Trap 8 — Forgetting Centralized Logging Architecture¶
Common enterprise pattern:
Flow Logs
↓
S3
↓
Athena
↓
OpenSearch
↓
SOC
Very important governance workflow.
Trap 9 — Assuming Missing Traffic Means Logging Failure¶
Some traffic is excluded.
Examples:
- Amazon DNS
- IMDS
- DHCP
- Windows activation
Always validate exclusions.
Trap 10 — Forgetting Aggregation Delay¶
Flow Logs are:
- near real-time
not:
- immediate packet streaming
Aggregation:
- 10 min default
- 1 min optional
Trap 11 — Forgetting Custom Formats¶
Advanced investigations may require:
pkt-srcaddrtcp-flagstraffic-path
Default logs may not be sufficient.
Trap 12 — Assuming Flow Logs Are Editable¶
Flow Logs are immutable.
Change requires:
Delete
↓
Recreate
5-Second Recall¶
Identity¶
VPC Flow Logs = network traffic metadata visibility for AWS environments
Keywords¶
If the scenario mentions:
- traffic visibility
- rejected traffic
- network analytics
- traffic telemetry
- lateral movement
- communication investigation
Answer:
→ VPC Flow Logs
Investigation Trigger¶
Need:
- suspicious traffic analysis
- source/destination visibility
- network investigation
- traffic analytics
Answer:
→ VPC Flow Logs
API Audit Trigger¶
Need:
- API calls
- account activity
- who performed action
Answer:
→ AWS CloudTrail
Need Packet Payload?¶
→ VPC Traffic Mirroring
Need Managed Threat Detection?¶
→ Amazon GuardDuty
Need Traffic Enforcement?¶
→ AWS Network Firewall
Need Centralized Analytics?¶
→ Flow Logs → S3 → Athena → OpenSearch
Need Original Packet Source?¶
→ Custom Format → pkt-srcaddr
Need Faster Visibility?¶
→ 1-minute aggregation
Need Hybrid Investigation?¶
→ Transit Gateway + Flow Logs
Need Segmentation Validation?¶
→ Security Groups + NACLs + Flow Logs
Quick Revision Notes¶
Identity¶
- network traffic metadata service
Visibility¶
- traffic metadata only
- no packet payload capture
- ENI-based telemetry
Traffic Types¶
- ACCEPT
- REJECT
- ALL
Integrations¶
- CloudWatch Logs
- S3
- Athena
- OpenSearch
- GuardDuty
- Security Hub
Investigation¶
- threat hunting
- lateral movement
- exfiltration analysis
- segmentation validation
Advanced Concepts¶
- excluded traffic exists
- 10-minute default aggregation
- 1-minute optional aggregation
- custom formats available
- immutable configuration
Architecture Memory¶
Observe
↓
Flow Logs
Analyze
↓
Athena/OpenSearch
Detect
↓
GuardDuty
Aggregate
↓
Security Hub
Final Identity¶
VPC Flow Logs = foundational AWS network visibility and forensic telemetry service