Flow Logs is a free AWS feature that “captures information about IP traffic going to and from network interfaces”. It captures all the meta data information about IP traffic in your cloud (it does not capture the actual payload itself because that would be too much data to save).
What is in this meta data?
- interface id (which instance it came from)
- source and destination IP and port
- protocol (TCP, UDP, ICMP, etc)
- number of packets transferred
- number of bytes transferred
- was the traffic accepted or rejected
This information can be useful in a myriad of ways to different users of your AWS cloud.
For the Ops or DevOps users, Amazon Flow Logs can provide information on what the usual traffic pattern should be. You’ll know how much user traffic comes inbound from the internet and from where in the world by mapping the IP to a geographical location. You’ll find out who the top talkers are on the network and which machine is sending the most traffic. This gives you a profile of how your cloud operates.
For Security users, they can use Amazon Flow Logs to find out which malicious IPs are trying to talk to their network and which machines they’re talking to. These IP addresses can be cross referenced with curated lists that external security analysts produce to identify its threat severity. You can also use this service to find data leakage in the case of a large amount of data is sent outbound to a host that is not yours.
AWS gives you this data in a log format. It is up to you to ingest this data in, parse it out, and produce analytics out of it. FlowLog-Stats takes care of this process for you and provides you with a refreshed dashboard daily. Check out our demo dashboard.