Configure AWS VPC Flow Logs for CTB Input

Available Languages

Download Options

  • PDF     (2.0 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.6 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 25, 2025
Document ID:222870

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure VPC Flow Logs as an input to Cisco Telemetry Broker (CTB).

    Prerequisites 

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Amazon Web Services (AWS) 
    • CTB admininstration. 

    Components Used

    The information in this document is based on these software and hardware versions:

    • CTB (v2.2.1+)
    • AWS

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configuration Steps

    Step 1. Configure S3 Bucket in AWS

    1: Log in to AWS management console with username and password.

    2: Ensure you log in to appropriate region.

    3: Navigate to search bar and type S3.

              AWS-DashboardAWS-Dashboard

    note-icon

    Note: In demo, you have selected Ohio region with us-east-2 availability zone, it is visible right next to the gear icon.

    4: Click create bucket.

                 AWS-S3 - Create BucketAWS-S3

    5: Give bucket a name and leave every option as it is and click create.

                 AWS - Give Bucket a NameAWS-S3

                 AWS - Advanced SettingsAWS-S3

    6: Once bucket is successfully created, save the bucket ARN which is to be used later during the configuration.

             AWS - Save the Bucket ARNAWS-S3            

             AWS - Bucket OverviewAWS-S3

    Step 2. Create IAM User with Access key and Attach S3 Bucket Policy

    1: Launch the IAM from aws search bar

           Launch the IAMAWS-IAM    

    2: Navigate to users.

                  Navigate to UsersAWS-IAM

                             

                    

    3: Uncheck the AWS management console access box as the purpose of created user is to access S3 storage.

               AWS Management Console AccessAWS-IAM

    4: Move ahead via click next.

               Move Ahead and Click NextAWS-IAM

    5: Click create user once entered details are verified. 

    note-icon

    Note: By unchecking the AWS management console access box, it prevents the user from logging in to AWS account using web UI.

    6: Assign policy by assigning it to the user, directly attaching it to a group or configuring it inline.

    note-icon

    Note: For demonstration, you direclty assign policy to the user. For more information - Managing AWS Policies

    7: Search for S3 full access and select AmazonS3full access, which allows the user to have full access for every S3 bucket created on its corresponding AWS account.

    8: Check the box with policy name AmazonS3FullAccess and click next.

                   Click Create UserAWS-IAM

                   Check Box with Policy NameAWS-IAM

    note-icon

    Note: You can create more granular policy by allowing only specific bucket as well, please navigate to  Policy creation to create your S3 bucket policy in json format.

    9: Once user is created, list the user and navigate to security credential tab and click create access key.

                 Permissions PoliciesAWS-IAM

                   List the UserAWS-IAM

    10: Select the other radio button and optionally add a tag.

                  Console Sign-InAWS-IAM

               Select Radio Button and Add a TagAWS-IAM

              Other InformationAWS-IAM

    11: Click Download .csv file. This is the Access key in a csv file and it is no longer available to download or view once you navigate away from this page.

                     Set Description TagAWS-IAM

    Step 3. Configure VPC Flow Logs

    1: Launch your VPC on your desired region and navigate to Your VPC option.

                 Click Download .csv FileAWS-Flow-Logs           

    2: Select your VPC from the list showing on the screen.

                  Launch Your VPCAWS-Flow-Logs

    note-icon

    Note: You have selected VPC name SCA in this demo.

    3: Navigate to Your VPCs under Virtual private cloud, switch to the Flow logs tab and click Create flow logs.

               Select Your VPCAWS-Flow-Logs

    4: Give your flow logs a name and share the S3 bucket ARN created earlier.

    note-icon

    Note: For ARN, see Configure S3 bucket - Step 6

    5: You have an option to go with AWS default log format or create custom log format in case if more fields are required.

                 Navigate to Your VPCs Under Virtual Private CloudAWS-Flow-Logs

                Option for AWS Default Log FormatAWS-Flow-Logs

    7: Click create flow logs.

                AWS Flow LogsAWS-Flow-Logs

                Create Flow LogsAWS-Flow-Logs

    Step 4. Configure VPC Input to CTB

    1: Access CTB Web UI, navigate to Explorer> Broker node tab > click open broker node >Data Flowtab > Click Add Input.

             Flow Logs CreatedCTB-Input-UI

    2: Select Input type as AWS VPC Flow log and click next.

             CTB Input UICTB-Input-UI

    3: Fill the details Input name, S3 Bucket Path, Region Code, Input IP Address, AWS Access Key ID, AWS Secret Access Key and click Add input.

            Select Input Type as AWS VPC Flow LogCTB-Input-UI

    note-icon

    Note: For S3 Bucket Path, see Configure VPC flow logs - Step 7.

    note-icon

    Note: For Region code, see AWS home page next to gear icon.

    note-icon

    Note: Any IP Address configured as the Input IP Address (unique IP not shared by any other exporter) is reported as the exporter for the transformed netflow data.

    note-icon

    Note: For AWS Access Key ID, see Configure IAM user for access key with S3 access policy, step 9

    Verify

    After a few minutes of configuring AWS VPC input, the status column becomes active if the AWS S3 bucket has data in it.

    Verify the status of AWS VPC input using these steps.

    1: Log in to CTB UI and navigate toExplorer> Broker node tab > click openbroker node >switch tab toInput >Click open  AWS input.

    2: Verify that configured aws-flow logs have active status and received metric have rising graph.

                 

                 Fill in the DetailsCTB-Input-UI

    Revision History

    Revision Publish Date Comments
    1.0
    26-Mar-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ketan Bhatt
      CX Security TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products