Subscribed unsubscribe Subscribe Subscribe

CloudFormationによるVPC Flow Logs

AWS CloudFormation Adds Support for Amazon VPC Flow Logs, Amazon Kinesis Firehose Delivery Streams, and Other Updates

AWSさんがCloudFormationによるFlow Logsをサポートしたようです。 しかし、よいテンプレートがないので作ってみました。

FlowLogsRole

まずはvpc-flow-logs.amazonaws.com用にロールを作成します。

    "FlowLogsRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "vpc-flow-logs.amazonaws.com"
                ]
              },
              "Action": [ "sts:AssumeRole" ]
            }
          ]
        },
        "Path": "/"
      }
    }

FlowLogsPolicy

次にRoleにPolicyを紐付けます。

    "FlowLogsPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "FlowLogs",
        "PolicyDocument": {
          "Version" : "2012-10-17",
          "Statement": [
            {
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
              ],
              "Effect": "Allow",
              "Resource": "*"
            }
          ]
        },
        "Roles": [
          { "Ref": "FlowLogsRole" }
        ]
      },
      "DependsOn" : [
        "FlowLogsRole"
      ]
    }

FlowLog

最後にVPCに対してFlowLogを作成します。

    "VPCFlowLog": {
      "Type" : "AWS::EC2::FlowLog",
      "Properties" : {
        "DeliverLogsPermissionArn" : { "Ref" : "FlowLogsRoleArn" },
        "LogGroupName"             : { "Fn::Join": ["", [
          "VPCFlowLogsGroup", "-", { "Ref": "AWS::StackName" }
        ]]},
        "ResourceId"               : { "Ref" : "VPC" },
        "ResourceType"             : "VPC",
        "TrafficType"              : "ALL"
      }
    }

VPC毎のロググループ名を分けるためにスタック名を使用します。 ※FlowLogsRoleArnは{ "Fn::GetAtt" : [ "FlowLogsRole", "Arn" ] }です。