To search VPC flow logs, you can use AWS Athena, which is a serverless query service that allows you to run SQL queries on data stored in Amazon S3.
We’ve built a platform to automate incident response and forensics in AWS — you can deploy it from the AWS Marketplace here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
Here are the steps you can follow to search your VPC flow logs using AWS Athena:
In the AWS Management Console, go to the Athena service page.
In the Query Editor, create a new query and specify the database and table that contain your flow logs data. You can use the following sample SQL query to get started:
SELECT *
FROM .
Add a WHERE clause to the query to filter the results based on the criteria you want to use for your search. For example, you can filter the results by IP address, port number, protocol, or any other relevant field.
Run the query and review the results to see if they contain the information you are looking for.
Use the query results to take appropriate action, such as investigating potential security threats or optimizing network performance.
Note: To use AWS Athena, you must first enable VPC flow logs and store the logs in an Amazon S3 bucket. You can then create a table in Athena and use SQL queries to search and analyze the flow logs data.
AWS have their own guide which is worth reviewing at https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html :
Amazon Virtual Private Cloud flow logs capture information about the IP traffic going to and from network interfaces in a VPC. Use the logs to investigate network traffic patterns and identify threats and risks across your VPC network.
To query your Amazon VPC flow logs, you have two options:
Amazon VPC Console – Use the Athena integration feature in the Amazon VPC Console to generate an AWS CloudFormation template that creates an Athena database, workgroup, and flow logs table with partitioning for you. The template also creates a set of predefined flow log queries that you can use to obtain insights about the traffic flowing through your VPC.
For information about this approach, see Query flow logs using Amazon Athena in the Amazon VPC User Guide.
Amazon Athena console – Create your tables and queries directly in the Athena console. For more information, continue reading this page.
Top comments (0)