This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::EC2::FlowLog Specifies a VPC flow log that captures IP traffic for a specified network interface, subnet, or VPC. To view the log data, use Amazon CloudWatch Logs (CloudWatch Logs) to help troubleshoot connection issues. For example, you can use a flow log to investigate why certain traffic isn't reaching an instance, which can help you diagnose overly restrictive security group rules. For more information, see [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the *Amazon VPC User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::EC2::FlowLog", "Properties" : { "[DeliverCrossAccountRole](#cfn-ec2-flowlog-delivercrossaccountrole)" : String, "[DeliverLogsPermissionArn](#cfn-ec2-flowlog-deliverlogspermissionarn)" : String, "[DestinationOptions](#cfn-ec2-flowlog-destinationoptions)" : DestinationOptions, "[LogDestination](#cfn-ec2-flowlog-logdestination)" : String, "[LogDestinationType](#cfn-ec2-flowlog-logdestinationtype)" : String, "[LogFormat](#cfn-ec2-flowlog-logformat)" : String, "[LogGroupName](#cfn-ec2-flowlog-loggroupname)" : String, "[MaxAggregationInterval](#cfn-ec2-flowlog-maxaggregationinterval)" : Integer, "[ResourceId](#cfn-ec2-flowlog-resourceid)" : String, "[ResourceType](#cfn-ec2-flowlog-resourcetype)" : String, "[Tags](#cfn-ec2-flowlog-tags)" : [ Tag, ... ], "[TrafficType](#cfn-ec2-flowlog-traffictype)" : String } } ``` ### YAML ``` Type: AWS::EC2::FlowLog Properties: [DeliverCrossAccountRole](#cfn-ec2-flowlog-delivercrossaccountrole): String [DeliverLogsPermissionArn](#cfn-ec2-flowlog-deliverlogspermissionarn): String [DestinationOptions](#cfn-ec2-flowlog-destinationoptions): DestinationOptions [LogDestination](#cfn-ec2-flowlog-logdestination): String [LogDestinationType](#cfn-ec2-flowlog-logdestinationtype): String [LogFormat](#cfn-ec2-flowlog-logformat): String [LogGroupName](#cfn-ec2-flowlog-loggroupname): String [MaxAggregationInterval](#cfn-ec2-flowlog-maxaggregationinterval): Integer [ResourceId](#cfn-ec2-flowlog-resourceid): String [ResourceType](#cfn-ec2-flowlog-resourcetype): String [Tags](#cfn-ec2-flowlog-tags): - Tag [TrafficType](#cfn-ec2-flowlog-traffictype): String ``` ## Properties `DeliverCrossAccountRole` The ARN of the IAM role that allows the service to publish flow logs across accounts. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DeliverLogsPermissionArn` The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination. This parameter is required if the destination type is `cloud-watch-logs`, or if the destination type is `kinesis-data-firehose` and the delivery stream and the resources to monitor are in different accounts. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `DestinationOptions` The destination options. *Required*: No *Type*: [DestinationOptions](aws-properties-ec2-flowlog-destinationoptions.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LogDestination` The destination for the flow log data. The meaning of this parameter depends on the destination type. + If the destination type is `cloud-watch-logs`, specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs:*region*:*account\$1id*:log-group:*my\$1group* Alternatively, use the `LogGroupName` parameter. + If the destination type is `s3`, specify the ARN of an S3 bucket. For example: arn:aws:s3:::*my\$1bucket*/*my\$1subfolder*/ The subfolder is optional. Note that you can't use `AWSLogs` as a subfolder name. + If the destination type is `kinesis-data-firehose`, specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose:*region*:*account\$1id*:deliverystream:*my\$1stream* *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LogDestinationType` The type of destination for the flow log data. Default: `cloud-watch-logs` *Required*: No *Type*: String *Allowed values*: `cloud-watch-logs | s3 | kinesis-data-firehose` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LogFormat` The fields to include in the flow log record, in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see [Flow log records](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records) in the *Amazon VPC User Guide* or [Transit Gateway Flow Log records](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records) in the *AWS Transit Gateway Guide*. Specify the fields using the `${field-id}` format, separated by spaces. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `LogGroupName` The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. This parameter is valid only if the destination type is `cloud-watch-logs`. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `MaxAggregationInterval` The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. The possible values are 60 seconds (1 minute) or 600 seconds (10 minutes). This parameter must be 60 seconds for transit gateway resource types. When a network interface is attached to a [Nitro-based instance](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html), the aggregation interval is always 60 seconds or less, regardless of the value that you specify. Default: 600 *Required*: No *Type*: Integer *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ResourceId` The ID of the resource to monitor. For example, if the resource type is `VPC`, specify the ID of the VPC. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ResourceType` The type of resource to monitor. *Required*: Yes *Type*: String *Allowed values*: `NetworkInterface | Subnet | VPC | TransitGateway | TransitGatewayAttachment | RegionalNatGateway` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` The tags to apply to the flow logs. *Required*: No *Type*: Array of [Tag](aws-properties-ec2-flowlog-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TrafficType` The type of traffic to monitor (accepted traffic, rejected traffic, or all traffic). This parameter is not supported for transit gateway resource types. It is required for the other resource types. *Required*: No *Type*: String *Allowed values*: `ACCEPT | ALL | REJECT` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the flow log ID, such as `fl-123456abc123abc1`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The ID of the flow log. For example, `fl-123456abc123abc1`. ## Examples **Topics** + [Publish a flow log to CloudWatch Logs to monitor all traffic](#aws-resource-ec2-flowlog--examples--Publish_a_flow_log_to_CloudWatch_Logs_to_monitor_all_traffic) + [Publish a custom format flow log to CloudWatch Logs for REJECT traffic](#aws-resource-ec2-flowlog--examples--Publish_a_custom_format_flow_log_to_CloudWatch_Logs_for_REJECT_traffic) + [Publish a custom format flow log to Amazon S3 for ACCEPT traffic](#aws-resource-ec2-flowlog--examples--Publish_a_custom_format_flow_log_to_Amazon_S3_for_ACCEPT_traffic) ### Publish a flow log to CloudWatch Logs to monitor all traffic The following example creates a flow log for the specified VPC, and captures all traffic types. Amazon EC2 publishes the logs to the `FlowLogsGroup` log group. #### JSON ``` { "MyFlowLog": { "Type": "AWS::EC2::FlowLog", "Properties": { "DeliverLogsPermissionArn": { "Fn::GetAtt": [ "FlowLogRole", "Arn" ] }, "LogGroupName": "FlowLogsGroup", "ResourceId": { "Ref": "MyVPC" }, "ResourceType": "VPC", "TrafficType": "ALL" } } } ``` #### YAML ``` MyFlowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn LogGroupName: FlowLogsGroup ResourceId: !Ref MyVPC ResourceType: VPC TrafficType: ALL ``` ### Publish a custom format flow log to CloudWatch Logs for REJECT traffic The following example creates a flow log for the specified subnet and captures REJECT traffic. The flow log uses a custom log format (the `LogFormat` property uses the `${field-id}` format, separated by spaces). Amazon EC2 aggregates the logs over 60 second intervals, and publishes the logs to the `FlowLogsGroup` log group. The flow log is created with two tags. #### JSON ``` { "MyDetailedFlowLogDeliveringToCloudWatchLogs": { "Type": "AWS::EC2::FlowLog", "Properties": { "ResourceId": { "Ref": "MySubnet" }, "ResourceType": "Subnet", "TrafficType": "REJECT", "LogGroupName": "FlowLogsGroup", "DeliverLogsPermissionArn": { "Fn::GetAtt": [ "FlowLogRole", "Arn" ] }, "LogFormat": "${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}", "MaxAggregationInterval": 60, "Tags": [ { "Key": "Name", "Value": "FlowLogForSubnetA" }, { "Key": "Purpose", "Value": "RejectTraffic" } ] } } } ``` #### YAML ``` MyDetailedFlowLogDeliveringToCloudWatchLogs: Type: AWS::EC2::FlowLog Properties: ResourceId: !Ref MySubnet ResourceType: Subnet TrafficType: REJECT LogGroupName: FlowLogsGroup DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn LogFormat: ${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} MaxAggregationInterval: 60 Tags: - Key: Name Value: FlowLogForSubnetA - Key: Purpose Value: RejectTraffic ``` ### Publish a custom format flow log to Amazon S3 for ACCEPT traffic The following example creates a flow log for the specified subnet and captures ACCEPT traffic. The flow log uses a custom log format (the `LogFormat` property uses the `${field-id}` format, separated by spaces). Amazon EC2 aggregates the logs over 60 second intervals, and publishes the logs to an Amazon S3 bucket that's referenced by its ARN, `MyS3Bucket.Arn`. The logs are published in parquet format in Hive-compatible prefixes partitioned on an hourly basis. The flow log is created with two tags. #### JSON ``` { "MyFlowLogDeliveringToS3": { "Type": "AWS::EC2::FlowLog", "Properties": { "ResourceId": { "Ref": "MySubnet" }, "ResourceType": "Subnet", "TrafficType": "ACCEPT", "LogDestination": { "Fn::GetAtt": [ "MyS3Bucket", "Arn" ] }, "LogDestinationType": "s3", "LogFormat": "${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}", "MaxAggregationInterval": 60, "DestinationOptions": { "FileFormat": "parquet", "HiveCompatiblePartitions": true, "PerHourPartition": true }, "Tags": [ { "Key": "Name", "Value": "FlowLogForSubnetB" }, { "Key": "Purpose", "Value": "AcceptTraffic" } ] } } } ``` #### YAML ``` MyFlowLogDeliveringToS3: Type: AWS::EC2::FlowLog Properties: ResourceId: !Ref MySubnet ResourceType: Subnet TrafficType: ACCEPT LogDestination: !GetAtt MyS3Bucket.Arn LogDestinationType: s3 LogFormat: ${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} MaxAggregationInterval: 60 DestinationOptions: FileFormat: parquet HiveCompatiblePartitions: true PerHourPartition: true Tags: - Key: Name Value: FlowLogForSubnetB - Key: Purpose Value: AcceptTraffic ``` # AWS::EC2::FlowLog DestinationOptions Describes the destination options for a flow log. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FileFormat](#cfn-ec2-flowlog-destinationoptions-fileformat)" : String, "[HiveCompatiblePartitions](#cfn-ec2-flowlog-destinationoptions-hivecompatiblepartitions)" : Boolean, "[PerHourPartition](#cfn-ec2-flowlog-destinationoptions-perhourpartition)" : Boolean } ``` ### YAML ``` [FileFormat](#cfn-ec2-flowlog-destinationoptions-fileformat): String [HiveCompatiblePartitions](#cfn-ec2-flowlog-destinationoptions-hivecompatiblepartitions): Boolean [PerHourPartition](#cfn-ec2-flowlog-destinationoptions-perhourpartition): Boolean ``` ## Properties `FileFormat` The format for the flow log. The default is `plain-text`. *Required*: Yes *Type*: String *Allowed values*: `plain-text | parquet` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `HiveCompatiblePartitions` Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is `false`. *Required*: Yes *Type*: Boolean *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PerHourPartition` Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is `false`. *Required*: Yes *Type*: Boolean *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::EC2::FlowLog Tag Specifies a tag. For more information, see [Resource tags](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ec2-flowlog-tag-key)" : String, "[Value](#cfn-ec2-flowlog-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ec2-flowlog-tag-key): String [Value](#cfn-ec2-flowlog-tag-value): String ``` ## Properties `Key` The tag key. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The tag value. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### This example specifies two tags for the VPC flow log. #### JSON ``` "Tags" : [ { "Key" : "key1", "Value" : "value1" }, { "Key" : "key2", "Value" : "value2" } ] ``` #### YAML ``` Tags: - Key: "key1" Value: "value1" - Key: "key2" Value: "value2" ```