Setting up FlowLog-Stats (2/2): Enabling permissions to read Flow Logs

This is 1 of 2 blog posts on what you’ll need to do to set up FlowLog-Stats.  This blog post outlines instructions for giving FlowLog-Stats read only access to your AWS Flow Logs and should take <10 minutes.  To learn how to enable Flow Logs on AWS, please read more here.

These steps are agnostic to if you are going to use FlowLog-Stats.com or not.  If you wanted to enable AWS Flow Logs and give read permission to any application, this would be how you would set it up.

These instructions outline one of the easiest methods for creating a machine user and granting this user rights to read the Flow Logs so that FlowLog-Stats can pull the data and process it.  By creating a user for only this purpose, you can audit this user and restrict permissions.  This step is optional – you can also just give FlowLog-Stats full access if you’d like.  Rest assured that our code base doesn’t do anything but read from the Flow Logs.

Step One (Optional): Create a machine user

Go to Service -> IAM to create a new user.  On the left hand side, click on Users.  Then near the top middle click on the Create New Users button.

aws-users.png

Now enter in a user name (for example, machine.flowlog-stats).  Then click the Create button on the bottom right.

aws-user-create

It will bring you to this screen, if you click the Show User Security Credentials you will see an Access Key ID and Secret Access Key string.  Copy this down.  This will be the last time you can get these keys since this is confidential information that AWS does NOT save.

aws-user-cred.png

After you record the credentials, you can click on close link on the bottom.  This will bring you back to the user’s list screen so you can give this user permission.

Step Two: Granting Read Only Access

On the user’s list screen, click on the machine.flowlog-stats user to see its details.

aws-user-list.png

Click on the Attach Policy button.

aws-user-detail.png
Enter a caption

In the search filter, put in CloudWatchLogsReadOnly

aws-user-policy.png

Click the check box and then click the Attach Policy button on the bottom right.

 

You’re done! Now this user has READ ONLY access to your CloudWatch Logs and FlowLog-Stats can create your daily dashboard. If you haven’t enabled Flow Logs on AWS, please read more here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s