AWS VPC Flow Logs

Overview

VPC Flow Logs record metadata about every accepted or rejected IP packet across:

VPC, subnet, and ENI (network interface) traffic
Source and destination IPs, ports, protocol, and bytes
Action (ACCEPT / REJECT) and security group decision

Atatus reads VPC flow logs that have been delivered to a CloudWatch log group.

Prerequisites

A VPC with flow logging enabled and configured to deliver to CloudWatch Logs.
IAM credentials with read access to that log group.

Step 1: Enable VPC Flow Logs (if not already)

Open the AWS Console → VPC.
Select the VPC, subnet, or ENI to monitor and choose Flow logs → Create flow log.
Configure:
- Filter: All (recommended) or Reject/Accept.
- Destination: Send to CloudWatch Logs.
- Log group: select an existing group or create one (for example, vpc-flow-logs-group).
- IAM role: the role that allows VPC to publish to CloudWatch Logs.
Click Create flow log.

Step 2: Create an IAM user with log read access

Open IAM → Users → Create user, name it atatus-vpc-flow-reader.
Attach an inline policy granting:
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:GetLogEvents
- logs:FilterLogEvents
Scope the policy to the flow logs log group ARN.
Create an access key under Security credentials → Create access key and copy both values.

Step 3: Connect AWS VPC Flow Logs in Atatus

In Atatus, go to Security → Cloud SIEM → Integrations.
Locate the AWS VPC Flow Logs card and click Connect.
Fill in the form:

Field	Description	Example
AWS Access Key ID	IAM user access key from Step 2.	`AKIA...`
AWS Secret Access Key	The matching secret key.	`••••••••`
AWS Region	Region of the log group.	`us-east-1`
CloudWatch Log Group	Log group receiving the VPC flow logs.	`vpc-flow-logs-group`
Poll Interval (minutes)	How often to fetch new entries.	`5`
Enabled	Turn collection on.	`true`

Click Connect.

Verification

The AWS VPC Flow Logs card shows Configured.
Flow records appear in Security → Cloud SIEM → Audit Logs → Events with source aws_vpc_flow_logs.