Ensure Network firewall flow logging is enabled


Network firewall FLOW logs provide detailed information about network traffic that went through the stateful engine of your firewall. In order to investigate security incidents, you must enable flow logs of the network firewall.


From Portal:
1. Sign in to the AWS Management Console and open the Amazon VPC console.
2. In the navigation panel, under Network Firewall, choose Firewalls.
3. In the Firewalls page, choose the name of the firewall that you want to edit.
4. Choose the tab Firewall details, then in the Logging section, choose Edit.
5. Adjust the Log type selections as needed. You can configure logging for alert and flow logs.(Flow: Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.)
6. For each selected log type, choose the destination type, then provide the information for the logging destination that you prepared following the guidance in Firewall logging destinations. In order to change the destination for an existing Log type, you must first turn off logging for the policy. Then, edit the policy and specify the new destination(s) for the Log type.
7. Choose Save to save your changes and return to the firewall’s detail page.

From TF:
resource aws_networkfirewall_logging_configuration” “example” {
logging_configuration {
log_destination_config {
– log_type = “ALERT”
+ log_type = “FLOW”

From Command Line:
In order to set Networks firewall flow logging use to following CLI command:
aws network-firewall update-logging-configuration –firewall-arn FW_ARN –logging-configuration LogDestinationConfigs=


AWS Network Firewall





We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!