1. Packages
  2. AWS Cloud Control
  3. API Docs
  4. ec2
  5. FlowLog

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

aws-native.ec2.FlowLog

Explore with Pulumi AI

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

Specifies a VPC flow log, which enables you to capture IP traffic for a specific network interface, subnet, or VPC.

Create FlowLog Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new FlowLog(name: string, args: FlowLogArgs, opts?: CustomResourceOptions);
@overload
def FlowLog(resource_name: str,
            args: FlowLogArgs,
            opts: Optional[ResourceOptions] = None)

@overload
def FlowLog(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            resource_id: Optional[str] = None,
            resource_type: Optional[FlowLogResourceType] = None,
            deliver_cross_account_role: Optional[str] = None,
            deliver_logs_permission_arn: Optional[str] = None,
            destination_options: Optional[DestinationOptionsPropertiesArgs] = None,
            log_destination: Optional[str] = None,
            log_destination_type: Optional[FlowLogLogDestinationType] = None,
            log_format: Optional[str] = None,
            log_group_name: Optional[str] = None,
            max_aggregation_interval: Optional[int] = None,
            tags: Optional[Sequence[_root_inputs.TagArgs]] = None,
            traffic_type: Optional[FlowLogTrafficType] = None)
func NewFlowLog(ctx *Context, name string, args FlowLogArgs, opts ...ResourceOption) (*FlowLog, error)
public FlowLog(string name, FlowLogArgs args, CustomResourceOptions? opts = null)
public FlowLog(String name, FlowLogArgs args)
public FlowLog(String name, FlowLogArgs args, CustomResourceOptions options)
type: aws-native:ec2:FlowLog
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. FlowLogArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. FlowLogArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. FlowLogArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. FlowLogArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. FlowLogArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

FlowLog Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The FlowLog resource accepts the following input properties:

ResourceId This property is required. string
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
ResourceType This property is required. Pulumi.AwsNative.Ec2.FlowLogResourceType
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
DeliverCrossAccountRole string
The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
DeliverLogsPermissionArn string
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
DestinationOptions Pulumi.AwsNative.Ec2.Inputs.DestinationOptionsProperties
The destination options.
LogDestination string
Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
LogDestinationType Pulumi.AwsNative.Ec2.FlowLogLogDestinationType
Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
LogFormat string
The fields to include in the flow log record, in the order in which they should appear.
LogGroupName string
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
MaxAggregationInterval int
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
Tags List<Pulumi.AwsNative.Inputs.Tag>
The tags to apply to the flow logs.
TrafficType Pulumi.AwsNative.Ec2.FlowLogTrafficType
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
ResourceId This property is required. string
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
ResourceType This property is required. FlowLogResourceType
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
DeliverCrossAccountRole string
The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
DeliverLogsPermissionArn string
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
DestinationOptions DestinationOptionsPropertiesArgs
The destination options.
LogDestination string
Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
LogDestinationType FlowLogLogDestinationType
Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
LogFormat string
The fields to include in the flow log record, in the order in which they should appear.
LogGroupName string
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
MaxAggregationInterval int
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
Tags TagArgs
The tags to apply to the flow logs.
TrafficType FlowLogTrafficType
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
resourceId This property is required. String
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
resourceType This property is required. FlowLogResourceType
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
deliverCrossAccountRole String
The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
deliverLogsPermissionArn String
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
destinationOptions DestinationOptionsProperties
The destination options.
logDestination String
Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
logDestinationType FlowLogLogDestinationType
Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
logFormat String
The fields to include in the flow log record, in the order in which they should appear.
logGroupName String
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
maxAggregationInterval Integer
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
tags List<Tag>
The tags to apply to the flow logs.
trafficType FlowLogTrafficType
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
resourceId This property is required. string
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
resourceType This property is required. FlowLogResourceType
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
deliverCrossAccountRole string
The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
deliverLogsPermissionArn string
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
destinationOptions DestinationOptionsProperties
The destination options.
logDestination string
Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
logDestinationType FlowLogLogDestinationType
Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
logFormat string
The fields to include in the flow log record, in the order in which they should appear.
logGroupName string
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
maxAggregationInterval number
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
tags Tag[]
The tags to apply to the flow logs.
trafficType FlowLogTrafficType
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
resource_id This property is required. str
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
resource_type This property is required. FlowLogResourceType
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
deliver_cross_account_role str
The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
deliver_logs_permission_arn str
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
destination_options DestinationOptionsPropertiesArgs
The destination options.
log_destination str
Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
log_destination_type FlowLogLogDestinationType
Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
log_format str
The fields to include in the flow log record, in the order in which they should appear.
log_group_name str
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
max_aggregation_interval int
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
tags Sequence[TagArgs]
The tags to apply to the flow logs.
traffic_type FlowLogTrafficType
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
resourceId This property is required. String
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
resourceType This property is required. "NetworkInterface" | "Subnet" | "VPC" | "TransitGateway" | "TransitGatewayAttachment"
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
deliverCrossAccountRole String
The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
deliverLogsPermissionArn String
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
destinationOptions Property Map
The destination options.
logDestination String
Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
logDestinationType "cloud-watch-logs" | "s3" | "kinesis-data-firehose"
Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
logFormat String
The fields to include in the flow log record, in the order in which they should appear.
logGroupName String
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
maxAggregationInterval Number
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
tags List<Property Map>
The tags to apply to the flow logs.
trafficType "ACCEPT" | "ALL" | "REJECT"
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.

Outputs

All input properties are implicitly available as output properties. Additionally, the FlowLog resource produces the following output properties:

AwsId string
The Flow Log ID
Id string
The provider-assigned unique ID for this managed resource.
AwsId string
The Flow Log ID
Id string
The provider-assigned unique ID for this managed resource.
awsId String
The Flow Log ID
id String
The provider-assigned unique ID for this managed resource.
awsId string
The Flow Log ID
id string
The provider-assigned unique ID for this managed resource.
aws_id str
The Flow Log ID
id str
The provider-assigned unique ID for this managed resource.
awsId String
The Flow Log ID
id String
The provider-assigned unique ID for this managed resource.

Supporting Types

DestinationOptionsProperties
, DestinationOptionsPropertiesArgs

FileFormat This property is required. Pulumi.AwsNative.Ec2.FlowLogDestinationOptionsPropertiesFileFormat
The format for the flow log. The default is plain-text .
HiveCompatiblePartitions This property is required. bool
Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
PerHourPartition This property is required. bool
Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
FileFormat This property is required. FlowLogDestinationOptionsPropertiesFileFormat
The format for the flow log. The default is plain-text .
HiveCompatiblePartitions This property is required. bool
Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
PerHourPartition This property is required. bool
Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
fileFormat This property is required. FlowLogDestinationOptionsPropertiesFileFormat
The format for the flow log. The default is plain-text .
hiveCompatiblePartitions This property is required. Boolean
Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
perHourPartition This property is required. Boolean
Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
fileFormat This property is required. FlowLogDestinationOptionsPropertiesFileFormat
The format for the flow log. The default is plain-text .
hiveCompatiblePartitions This property is required. boolean
Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
perHourPartition This property is required. boolean
Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
file_format This property is required. FlowLogDestinationOptionsPropertiesFileFormat
The format for the flow log. The default is plain-text .
hive_compatible_partitions This property is required. bool
Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
per_hour_partition This property is required. bool
Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
fileFormat This property is required. "plain-text" | "parquet"
The format for the flow log. The default is plain-text .
hiveCompatiblePartitions This property is required. Boolean
Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
perHourPartition This property is required. Boolean
Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .

FlowLogDestinationOptionsPropertiesFileFormat
, FlowLogDestinationOptionsPropertiesFileFormatArgs

PlainText
plain-text
Parquet
parquet
FlowLogDestinationOptionsPropertiesFileFormatPlainText
plain-text
FlowLogDestinationOptionsPropertiesFileFormatParquet
parquet
PlainText
plain-text
Parquet
parquet
PlainText
plain-text
Parquet
parquet
PLAIN_TEXT
plain-text
PARQUET
parquet
"plain-text"
plain-text
"parquet"
parquet

FlowLogLogDestinationType
, FlowLogLogDestinationTypeArgs

CloudWatchLogs
cloud-watch-logs
S3
s3
KinesisDataFirehose
kinesis-data-firehose
FlowLogLogDestinationTypeCloudWatchLogs
cloud-watch-logs
FlowLogLogDestinationTypeS3
s3
FlowLogLogDestinationTypeKinesisDataFirehose
kinesis-data-firehose
CloudWatchLogs
cloud-watch-logs
S3
s3
KinesisDataFirehose
kinesis-data-firehose
CloudWatchLogs
cloud-watch-logs
S3
s3
KinesisDataFirehose
kinesis-data-firehose
CLOUD_WATCH_LOGS
cloud-watch-logs
S3
s3
KINESIS_DATA_FIREHOSE
kinesis-data-firehose
"cloud-watch-logs"
cloud-watch-logs
"s3"
s3
"kinesis-data-firehose"
kinesis-data-firehose

FlowLogResourceType
, FlowLogResourceTypeArgs

NetworkInterface
NetworkInterface
Subnet
Subnet
Vpc
VPC
TransitGateway
TransitGateway
TransitGatewayAttachment
TransitGatewayAttachment
FlowLogResourceTypeNetworkInterface
NetworkInterface
FlowLogResourceTypeSubnet
Subnet
FlowLogResourceTypeVpc
VPC
FlowLogResourceTypeTransitGateway
TransitGateway
FlowLogResourceTypeTransitGatewayAttachment
TransitGatewayAttachment
NetworkInterface
NetworkInterface
Subnet
Subnet
Vpc
VPC
TransitGateway
TransitGateway
TransitGatewayAttachment
TransitGatewayAttachment
NetworkInterface
NetworkInterface
Subnet
Subnet
Vpc
VPC
TransitGateway
TransitGateway
TransitGatewayAttachment
TransitGatewayAttachment
NETWORK_INTERFACE
NetworkInterface
SUBNET
Subnet
VPC
VPC
TRANSIT_GATEWAY
TransitGateway
TRANSIT_GATEWAY_ATTACHMENT
TransitGatewayAttachment
"NetworkInterface"
NetworkInterface
"Subnet"
Subnet
"VPC"
VPC
"TransitGateway"
TransitGateway
"TransitGatewayAttachment"
TransitGatewayAttachment

FlowLogTrafficType
, FlowLogTrafficTypeArgs

Accept
ACCEPT
All
ALL
Reject
REJECT
FlowLogTrafficTypeAccept
ACCEPT
FlowLogTrafficTypeAll
ALL
FlowLogTrafficTypeReject
REJECT
Accept
ACCEPT
All
ALL
Reject
REJECT
Accept
ACCEPT
All
ALL
Reject
REJECT
ACCEPT
ACCEPT
ALL
ALL
REJECT
REJECT
"ACCEPT"
ACCEPT
"ALL"
ALL
"REJECT"
REJECT

Tag
, TagArgs

Key This property is required. string
The key name of the tag
Value This property is required. string
The value of the tag
Key This property is required. string
The key name of the tag
Value This property is required. string
The value of the tag
key This property is required. String
The key name of the tag
value This property is required. String
The value of the tag
key This property is required. string
The key name of the tag
value This property is required. string
The value of the tag
key This property is required. str
The key name of the tag
value This property is required. str
The value of the tag
key This property is required. String
The key name of the tag
value This property is required. String
The value of the tag

Package Details

Repository
AWS Native pulumi/pulumi-aws-native
License
Apache-2.0

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi