VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
It is recommended that VPC FlowLogs be enabled for packet Rejects” for VPCs.
1. Sign in to the AWS Management Console.
2. Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.
3. In the left navigation panel, select Your VPCs.
4. Select the VPC that you need to check.
5. Select the Flow Logs tab from the bottom panel and click Create Flow Log:
6. In the Create Flow Log dialog box, enter the following details:
Filter: select the filter that describes the type of traffic to be logged – accepted, rejected, or all.
Role: enter the name of the IAM role that will allow permissions to publish to the CloudWatch Logs log group.
Destination Log Group: enter a name for the new CloudWatch Logs log group, where the flow logs will be published.
7. Review the flow log configuration and click Create Flow Log:
The log group will be available in approximately 10 minutes after you create the flow log. To access it, just click on the log group name listed under the CloudWatch Logs Group column:
or open the CloudWatch Logs dashboard at https://console.aws.amazon.com/cloudwatch/home#logs: