You can create a flow log for VPC. For more information on creating flow logs at the VPC level, refer the AWS documentation at https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#create-flow-log. Once the flow logs are created, you can enable the VPC flow logs in vRealize Network Insight after validating your AWS account.

Recommended Policy for Flow Log Creation

Review your users' IAM policies to ensure that the iam:PassRole permission on the IAM role used in the CreateFlowLogs call is granted appropriately.

If the user who calls CreateFlowLogs does not have the IAM PassRole permission, the system returns an access denied message.

The following example demonstrates how you can verify if the correct permission is already assigned to users that have created the VPC Flow Logs in the past 90-days. If you have any additional questions or concerns, contact the AWS Support team.

Here is the sequence of steps to be run using the AWS CLI to determine if users who created the VPC Flow Logs have the correct permissions assigned to them:

  1. Check your CloudTrail logs for events related to creating the flow logs, by searching for attributes with a key of EventName and a value of CreateFlowLogs. In this example, only one CreateFlowLogs event is found, and this command was invoked by the user admin-temp.

       % aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName, \
              AttributeValue=CreateFlowLogs
        {
            "Events": [
                {
                    "EventName": "CreateFlowLogs",
                    "Resources": [
                        {
                            "ResourceType": "AWS::IAM::Role",
                            "ResourceName": "arn:aws:iam::123456789012:role/flowlogsRole"
                        },
                        {
                            "ResourceType": "AWS::Logs::LogGroup",
                            "ResourceName": "example-flow-logs"
                        },
                        {
                            "ResourceType": "AWS::EC2::FlowLog",
                            "ResourceName": "fl-1a1a1a1a"
                        },
                        {
                            "ResourceName": "vpc-2b2b2b2b"
                        }
                    ],
                    "EventId": "1a1a1a1a-ffff-1111-9999-1234567890af",
                    "EventTime": 1514764800.0,
                    "Username": "admin-temp",
  2. Audit the permissions assigned to the IAM user admin-temp. Specifically, look for the PolicyNames assigned to this IAM user. In this example, the policy name assigned is inline-pass-role-policy. Using the CLI, review the details of this user policy. Look for the iam:PassRole permission. In this example, the user policy does include the iam:PassRole permission.

        % aws iam list-user-policies --user-name admin-temp
        {
            "PolicyNames": [
                "inline-pass-role-policy"
            ]
        }
        
        % aws iam get-user-policy --user-name admin-temp --policy-name inline-pass-role-policy
        {
            "UserName": "admin-temp",
            "PolicyName": "inline-pass-role-policy",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "VisualEditor0",
                        "Action": "iam:PassRole",
                        "Effect": "Allow",
                        "Resource": "arn:aws:iam::123456789012:role/flowLogsRole"
                    }
                ]
            }
        }
  3. Using the credentials of the admin-temp IAM user, you can create a new flow log and verify that the flow log is created successfully.

     % aws ec2 create-flow-logs --deliver-logs-permission-arn \
              arn:aws:iam::123456789012:role/flowlogsRole \
              --log-group-name example-flow-logs --resource-ids vpc-2b2b2b2b \
              --resource-type VPC --traffic-type ALL

    As this user has the correct permission iam:PassRole on the role arn:aws:iam::123456789012:role/flowLogsRole it uses in the CreateFlowLogs call, this call succeeds.

    Refer the AWS Documentation on IAM Roles for Flow Logs for more information.