If your VPC flow logs are not showing up in CloudWatch Logs, the likely cause is missing IAM permissions on the IAM role used for the flow log. Learn how to troubleshoot and fix this issue.
Table of Contents
Question
A company’s SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?
A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission
B. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission
C. The VPC is configured for IPv6 addresses
D. The VPC is peered with another VPC in the AWS account
Answer
A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission
Explanation
When you create a VPC flow log that publishes to CloudWatch Logs, you must specify an IAM role that has the necessary permissions. At a minimum, this IAM role needs to have a policy attached that includes the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions on the CloudWatch Logs log group.
If the logs:CreateLogGroup permission is missing from the IAM role’s policy, then the VPC flow log will be unable to create the log group in CloudWatch Logs to publish the flow log data to. As a result, no flow logs will show up in CloudWatch.
The other answers can be eliminated:
B is incorrect because the logs:CreateExportTask permission is not required for VPC flow logs. That permission is used for exporting log data from CloudWatch Logs to S3.
C is incorrect because VPC flow logs support both IPv4 and IPv6 traffic. Using IPv6 in the VPC does not prevent flow logs from being published.
D is incorrect because VPC peering does not interfere with VPC flow logs in any way. Flow logs can be enabled in VPCs that are peered with other VPCs without issue.
Therefore, the missing logs:CreateLogGroup IAM permission on the flow log role is the most likely cause of the flow logs failing to be published to CloudWatch Logs. The SysOps administrator should check the IAM policy attached to the role and add the missing permission.
Amazon AWS Certified SysOps Administrator – Associate certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.