Table: aws_vpc_flow_log - Query AWS VPC Flow Logs using SQL
The AWS VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your Virtual Private Cloud (VPC). This service helps you to monitor and troubleshoot connectivity issues, and it also allows you to track how your network is being used. By using VPC Flow Logs, you can achieve operational and security insights to meet compliance and auditing requirements.
Table Usage Guide
The aws_vpc_flow_log
table in Steampipe provides you with information about AWS VPC Flow Logs within Amazon Virtual Private Cloud (VPC). This table lets you, as a network administrator or security analyst, query flow log-specific details, including source and destination IP addresses, traffic volume, and associated metadata. You can utilize this table to gather insights on network traffic, such as identifying patterns of data transfer, monitoring network performance, diagnosing overly restrictive security group rules, and more. The schema outlines the various attributes of the VPC Flow Log for you, including the log status, creation time, log destination, and associated tags.
Examples
List flow logs with their corresponding VPC Ids, subnet Ids, or network interface Ids
Explore which flow logs are associated with specific Virtual Private Clouds, subnets, or network interfaces. This can assist in identifying potential network issues or analyzing traffic patterns within your AWS environment.
select flow_log_id, resource_idfrom aws_vpc_flow_log;
select flow_log_id, resource_idfrom aws_vpc_flow_log;
List of flow logs whose logs delivery has failed
Identify instances where the delivery of flow logs has failed in AWS Virtual Private Cloud (VPC). This can aid in diagnosing and rectifying issues related to log delivery, thereby ensuring seamless logging and monitoring.
select flow_log_id, resource_id, deliver_logs_error_message, deliver_logs_statusfrom aws_vpc_flow_logwhere deliver_logs_status = 'FAILED';
select flow_log_id, resource_id, deliver_logs_error_message, deliver_logs_statusfrom aws_vpc_flow_logwhere deliver_logs_status = 'FAILED';
Log group or destination bucket information to which the flow log is published
Identify the destination type and location where your Virtual Private Cloud (VPC) flow logs are being published. This is useful for managing and auditing your AWS network traffic logs.
select flow_log_id, log_destination_type, log_destination, log_group_name, bucket_namefrom aws_vpc_flow_log;
select flow_log_id, log_destination_type, log_destination, log_group_name, bucket_namefrom aws_vpc_flow_log;
Type of traffic captured by each flow log
Explore the types of network traffic monitored by each flow log to gain insights into your network's communication patterns and improve your security posture. This can be particularly useful in identifying potential security threats or troubleshooting network issues.
select flow_log_id, traffic_typefrom aws_vpc_flow_log;
select flow_log_id, traffic_typefrom aws_vpc_flow_log;
Schema for aws_vpc_flow_log
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
bucket_name | text | The name of the destination bucket to which the flow log data is published. | |
creation_time | timestamp with time zone | The date and time the flow log was created. | |
deliver_logs_error_message | text | Information about the error that occurred. | |
deliver_logs_permission_arn | text | The ARN of the IAM role that posts logs to CloudWatch Logs. | |
deliver_logs_status | text | = | The status of the logs delivery (SUCCESS | FAILED). |
flow_log_id | text | = | The ID of the flow log. |
flow_log_status | text | The status of the flow log (ACTIVE). | |
log_destination | text | Specifies the destination to which the flow log data is published. | |
log_destination_type | text | = | Specifies the type of destination to which the flow log data is published. |
log_format | text | The format of the flow log record. | |
log_group_name | text | = | The name of the flow log group. |
max_aggregation_interval | bigint | The maximum interval of time, in seconds, during which a flow of packets is captured and aggregated into a flow log record. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
resource_id | text | = | The ID of the VPC, subnet, or network interface. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags assigned to the VPC flowlog. | |
title | text | Title of the resource. | |
traffic_type | text | = | The type of traffic. Valid values are: 'ACCEPT', 'REJECT', 'ALL'. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_vpc_flow_log