CloudFormationでVPCフローログを設定する (CloudWatch版)

森田桂介

2019.08.13

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

VPCフローログをCloudFormationで設定する機会がありましたので、紹介させていただきます。S3とCloudWatch Logsへ保存できますが、今回はCloudWatch Logsへ保存したいと思います。

IAM Role

CloudWatch Logsへログを保存するための必要最小限の権限で作成しています。

#--------------------------------------------------------------------
VpcFlowLogsIamRole:
#--------------------------------------------------------------------
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub ${SystemName}-${Env}-flowlogs-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "vpc-flow-logs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: !Sub ${SystemName}-${Env}-flowlogs-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
Resource: "*"

LogGroup

フローログを保存するロググループを作成します。
一定期間後に削除するようにRetentionInDaysを指定しています。

#--------------------------------------------------------------------
VpcFlowLogsLogGroup:
#--------------------------------------------------------------------
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Sub ${SystemName}-${Env}-vpc-flowlogs
RetentionInDays: !Ref RetentionInDays

FlowLog

VPCフローログを作成します。
VPCは別スタックで作成している想定です。環境に合わせて変更してください。

#--------------------------------------------------------------------
VpcFlowLogs:
#--------------------------------------------------------------------
Type: "AWS::EC2::FlowLog"
Properties:
ResourceType: "VPC"
ResourceId:
Fn::ImportValue: !Sub ${SystemName}-${Env}-vpc
TrafficType: !Ref TrafficType
DeliverLogsPermissionArn: !GetAtt VpcFlowLogsIamRole.Arn
LogGroupName: !Ref VpcFlowLogsLogGroup

テンプレート全体

パラメータ、リソース名などはお好みで変更してください。

---
AWSTemplateFormatVersion: '2010-09-09'
Description: VPC Flow Logs

#--------------------------------------------------------------------
Parameters:
#--------------------------------------------------------------------
SystemName:
Description: This value is used as the resource prefix.
Type: String
Default: example
MinLength: 1
Env:
Description: Environment Name
Type: String
Default: dev
AllowedValues: [ dev ]
TrafficType:
Description: The type of traffic to log.
Type: String
Default: ALL
AllowedValues: [ ACCEPT, REJECT, ALL ]
RetentionInDays:
Description: The number of days to retain the log events in the specified log group.
Type: Number
Default: 30
AllowedValues: [ 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 ]

#--------------------------------------------------------------------
Resources:
#--------------------------------------------------------------------

#--------------------------------------------------------------------
VpcFlowLogs:
#--------------------------------------------------------------------
Type: "AWS::EC2::FlowLog"
Properties:
ResourceType: "VPC"
ResourceId:
Fn::ImportValue: !Sub ${SystemName}-${Env}-vpc
TrafficType: !Ref TrafficType
DeliverLogsPermissionArn: !GetAtt VpcFlowLogsIamRole.Arn
LogGroupName: !Ref VpcFlowLogsLogGroup

#--------------------------------------------------------------------
VpcFlowLogsLogGroup:
#--------------------------------------------------------------------
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Sub ${SystemName}-${Env}-vpc-flowlogs
RetentionInDays: !Ref RetentionInDays

#--------------------------------------------------------------------
VpcFlowLogsIamRole:
#--------------------------------------------------------------------
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub ${SystemName}-${Env}-flowlogs-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "vpc-flow-logs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: !Sub ${SystemName}-${Env}-flowlogs-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
Resource: "*"