AWS VPC Flow Logs Analysis
February 13, 2026
|
AWS
VPC
Security
Enable flow logs and query with Athena.
VPC Flow Logs: Traffic Analysis and Security
VPC Flow Logs capture metadata about IP traffic flowing through your VPC's network interfaces. They're essential for security investigations, compliance auditing, network troubleshooting, and detecting unauthorized access attempts.
Enabling Flow Logs
# VPC-level flow logs to S3
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-xxx \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::my-flow-logs-bucket \
--max-aggregation-interval 60 \
--log-format '${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}'Log Format Fields
| Field | Description | Use Case |
|---|---|---|
| srcaddr/dstaddr | Source/destination IP | Identify traffic sources |
| srcport/dstport | Source/destination port | Identify services and protocols |
| action | ACCEPT or REJECT | Security analysis |
| bytes/packets | Transfer volume | Cost analysis, anomaly detection |
| interface-id | ENI identifier | Trace to specific resource |
Querying with Amazon Athena
Create an Athena table for flow log analysis:
CREATE EXTERNAL TABLE vpc_flow_logs (
version int, account_id string, interface_id string,
srcaddr string, dstaddr string, srcport int, dstport int,
protocol int, packets bigint, bytes bigint,
start_time bigint, end_time bigint, action string, log_status string
)
PARTITIONED BY (dt string)
ROW FORMAT DELIMITED FIELDS TERMINATED BY ' '
LOCATION 's3://my-flow-logs-bucket/AWSLogs/123456789012/vpcflowlogs/';Common Queries
Top Talkers (by bytes)
SELECT srcaddr, dstaddr, SUM(bytes) as total_bytes
FROM vpc_flow_logs
WHERE dt = '2026/02/13'
GROUP BY srcaddr, dstaddr
ORDER BY total_bytes DESC
LIMIT 20;Rejected Traffic (Security Investigation)
SELECT srcaddr, dstport, COUNT(*) as reject_count
FROM vpc_flow_logs
WHERE action = 'REJECT' AND dt = '2026/02/13'
GROUP BY srcaddr, dstport
ORDER BY reject_count DESC
LIMIT 50;Unusual Port Activity
SELECT DISTINCT dstport, srcaddr, dstaddr
FROM vpc_flow_logs
WHERE dstport NOT IN (80, 443, 22, 5432, 6379)
AND action = 'ACCEPT'
AND dt = '2026/02/13'
ORDER BY dstport;Cost Optimization with Flow Logs
Flow logs can reveal expensive network patterns:
- Cross-AZ traffic — Identify services communicating across AZs ($0.01/GB each way)
- NAT Gateway usage — Find which instances send the most traffic through NAT
- Unused Security Group rules — Rules that never match any traffic can be removed
Storage and Cost Management
- Use S3 over CloudWatch Logs — 60-80% cheaper for storage
- Set S3 lifecycle policies — Move to Glacier after 90 days, delete after 1 year
- Aggregate at VPC level — Don't enable per-ENI unless needed for specific investigation
- Use 10-minute aggregation — Reduces log volume 10x compared to 1-minute interval
Eazy SaaS Tip: We set up VPC Flow Logs with Athena for every client as part of our security baseline. The combination of automated Athena queries and CloudWatch alerts on rejected traffic provides real-time security monitoring at a fraction of the cost of commercial SIEM solutions.