Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. AWS Cloud Control
  3. API Docs
  4. ec2
  5. FlowLog

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi
pulumi/pulumi-aws-native

aws-native.ec2.FlowLog

Explore with Pulumi AI

aws-native logo

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi
pulumi/pulumi-aws-native

    Specifies a VPC flow log, which enables you to capture IP traffic for a specific network interface, subnet, or VPC.

    Create FlowLog Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new FlowLog(name: string, args: FlowLogArgs, opts?: CustomResourceOptions);
    @overload
def FlowLog(resource_name: str,
            args: FlowLogArgs,
            opts: Optional[ResourceOptions] = None)

@overload
def FlowLog(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            resource_id: Optional[str] = None,
            resource_type: Optional[FlowLogResourceType] = None,
            deliver_cross_account_role: Optional[str] = None,
            deliver_logs_permission_arn: Optional[str] = None,
            destination_options: Optional[DestinationOptionsPropertiesArgs] = None,
            log_destination: Optional[str] = None,
            log_destination_type: Optional[FlowLogLogDestinationType] = None,
            log_format: Optional[str] = None,
            log_group_name: Optional[str] = None,
            max_aggregation_interval: Optional[int] = None,
            tags: Optional[Sequence[_root_inputs.TagArgs]] = None,
            traffic_type: Optional[FlowLogTrafficType] = None)
    func NewFlowLog(ctx *Context, name string, args FlowLogArgs, opts ...ResourceOption) (*FlowLog, error)
    public FlowLog(string name, FlowLogArgs args, CustomResourceOptions? opts = null)
    public FlowLog(String name, FlowLogArgs args)
public FlowLog(String name, FlowLogArgs args, CustomResourceOptions options)

    type: aws-native:ec2:FlowLog
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args FlowLogArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args FlowLogArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args FlowLogArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args FlowLogArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args FlowLogArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    FlowLog Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The FlowLog resource accepts the following input properties:

    ResourceId string
    The ID of the subnet, network interface, or VPC for which you want to create a flow log.
    ResourceType Pulumi.AwsNative.Ec2.FlowLogResourceType
    The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
    DeliverCrossAccountRole string
    The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
    DeliverLogsPermissionArn string
    The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    DestinationOptions Pulumi.AwsNative.Ec2.Inputs.DestinationOptionsProperties
    The destination options.
    LogDestination string
    Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
    LogDestinationType Pulumi.AwsNative.Ec2.FlowLogLogDestinationType
    Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
    LogFormat string
    The fields to include in the flow log record, in the order in which they should appear.
    LogGroupName string
    The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    MaxAggregationInterval int
    The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
    Tags List<Pulumi.AwsNative.Inputs.Tag>
    The tags to apply to the flow logs.
    TrafficType Pulumi.AwsNative.Ec2.FlowLogTrafficType
    The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
    ResourceId string
    The ID of the subnet, network interface, or VPC for which you want to create a flow log.
    ResourceType FlowLogResourceType
    The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
    DeliverCrossAccountRole string
    The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
    DeliverLogsPermissionArn string
    The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    DestinationOptions DestinationOptionsPropertiesArgs
    The destination options.
    LogDestination string
    Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
    LogDestinationType FlowLogLogDestinationType
    Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
    LogFormat string
    The fields to include in the flow log record, in the order in which they should appear.
    LogGroupName string
    The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    MaxAggregationInterval int
    The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
    Tags TagArgs
    The tags to apply to the flow logs.
    TrafficType FlowLogTrafficType
    The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
    resourceId String
    The ID of the subnet, network interface, or VPC for which you want to create a flow log.
    resourceType FlowLogResourceType
    The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
    deliverCrossAccountRole String
    The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
    deliverLogsPermissionArn String
    The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    destinationOptions DestinationOptionsProperties
    The destination options.
    logDestination String
    Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
    logDestinationType FlowLogLogDestinationType
    Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
    logFormat String
    The fields to include in the flow log record, in the order in which they should appear.
    logGroupName String
    The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    maxAggregationInterval Integer
    The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
    tags List<Tag>
    The tags to apply to the flow logs.
    trafficType FlowLogTrafficType
    The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
    resourceId string
    The ID of the subnet, network interface, or VPC for which you want to create a flow log.
    resourceType FlowLogResourceType
    The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
    deliverCrossAccountRole string
    The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
    deliverLogsPermissionArn string
    The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    destinationOptions DestinationOptionsProperties
    The destination options.
    logDestination string
    Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
    logDestinationType FlowLogLogDestinationType
    Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
    logFormat string
    The fields to include in the flow log record, in the order in which they should appear.
    logGroupName string
    The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    maxAggregationInterval number
    The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
    tags Tag[]
    The tags to apply to the flow logs.
    trafficType FlowLogTrafficType
    The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
    resource_id str
    The ID of the subnet, network interface, or VPC for which you want to create a flow log.
    resource_type FlowLogResourceType
    The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
    deliver_cross_account_role str
    The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
    deliver_logs_permission_arn str
    The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    destination_options DestinationOptionsPropertiesArgs
    The destination options.
    log_destination str
    Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
    log_destination_type FlowLogLogDestinationType
    Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
    log_format str
    The fields to include in the flow log record, in the order in which they should appear.
    log_group_name str
    The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    max_aggregation_interval int
    The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
    tags Sequence[TagArgs]
    The tags to apply to the flow logs.
    traffic_type FlowLogTrafficType
    The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
    resourceId String
    The ID of the subnet, network interface, or VPC for which you want to create a flow log.
    resourceType "NetworkInterface" | "Subnet" | "VPC" | "TransitGateway" | "TransitGatewayAttachment"
    The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
    deliverCrossAccountRole String
    The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
    deliverLogsPermissionArn String
    The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    destinationOptions Property Map
    The destination options.
    logDestination String
    Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
    logDestinationType "cloud-watch-logs" | "s3" | "kinesis-data-firehose"
    Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
    logFormat String
    The fields to include in the flow log record, in the order in which they should appear.
    logGroupName String
    The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
    maxAggregationInterval Number
    The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
    tags List<Property Map>
    The tags to apply to the flow logs.
    trafficType "ACCEPT" | "ALL" | "REJECT"
    The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the FlowLog resource produces the following output properties:

    AwsId string
    The Flow Log ID
    Id string
    The provider-assigned unique ID for this managed resource.
    AwsId string
    The Flow Log ID
    Id string
    The provider-assigned unique ID for this managed resource.
    awsId String
    The Flow Log ID
    id String
    The provider-assigned unique ID for this managed resource.
    awsId string
    The Flow Log ID
    id string
    The provider-assigned unique ID for this managed resource.
    aws_id str
    The Flow Log ID
    id str
    The provider-assigned unique ID for this managed resource.
    awsId String
    The Flow Log ID
    id String
    The provider-assigned unique ID for this managed resource.

    Supporting Types

    DestinationOptionsProperties, DestinationOptionsPropertiesArgs

    FileFormat Pulumi.AwsNative.Ec2.FlowLogDestinationOptionsPropertiesFileFormat
    The format for the flow log. The default is plain-text .
    HiveCompatiblePartitions bool
    Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
    PerHourPartition bool
    Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
    FileFormat FlowLogDestinationOptionsPropertiesFileFormat
    The format for the flow log. The default is plain-text .
    HiveCompatiblePartitions bool
    Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
    PerHourPartition bool
    Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
    fileFormat FlowLogDestinationOptionsPropertiesFileFormat
    The format for the flow log. The default is plain-text .
    hiveCompatiblePartitions Boolean
    Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
    perHourPartition Boolean
    Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
    fileFormat FlowLogDestinationOptionsPropertiesFileFormat
    The format for the flow log. The default is plain-text .
    hiveCompatiblePartitions boolean
    Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
    perHourPartition boolean
    Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
    file_format FlowLogDestinationOptionsPropertiesFileFormat
    The format for the flow log. The default is plain-text .
    hive_compatible_partitions bool
    Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
    per_hour_partition bool
    Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .
    fileFormat "plain-text" | "parquet"
    The format for the flow log. The default is plain-text .
    hiveCompatiblePartitions Boolean
    Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is false .
    perHourPartition Boolean
    Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is false .

    FlowLogDestinationOptionsPropertiesFileFormat, FlowLogDestinationOptionsPropertiesFileFormatArgs

    PlainText
    plain-text
    Parquet
    parquet
    FlowLogDestinationOptionsPropertiesFileFormatPlainText
    plain-text
    FlowLogDestinationOptionsPropertiesFileFormatParquet
    parquet
    PlainText
    plain-text
    Parquet
    parquet
    PlainText
    plain-text
    Parquet
    parquet
    PLAIN_TEXT
    plain-text
    PARQUET
    parquet
    "plain-text"
    plain-text
    "parquet"
    parquet

    FlowLogLogDestinationType, FlowLogLogDestinationTypeArgs

    CloudWatchLogs
    cloud-watch-logs
    S3
    s3
    KinesisDataFirehose
    kinesis-data-firehose
    FlowLogLogDestinationTypeCloudWatchLogs
    cloud-watch-logs
    FlowLogLogDestinationTypeS3
    s3
    FlowLogLogDestinationTypeKinesisDataFirehose
    kinesis-data-firehose
    CloudWatchLogs
    cloud-watch-logs
    S3
    s3
    KinesisDataFirehose
    kinesis-data-firehose
    CloudWatchLogs
    cloud-watch-logs
    S3
    s3
    KinesisDataFirehose
    kinesis-data-firehose
    CLOUD_WATCH_LOGS
    cloud-watch-logs
    S3
    s3
    KINESIS_DATA_FIREHOSE
    kinesis-data-firehose
    "cloud-watch-logs"
    cloud-watch-logs
    "s3"
    s3
    "kinesis-data-firehose"
    kinesis-data-firehose

    FlowLogResourceType, FlowLogResourceTypeArgs

    NetworkInterface
    NetworkInterface
    Subnet
    Subnet
    Vpc
    VPC
    TransitGateway
    TransitGateway
    TransitGatewayAttachment
    TransitGatewayAttachment
    FlowLogResourceTypeNetworkInterface
    NetworkInterface
    FlowLogResourceTypeSubnet
    Subnet
    FlowLogResourceTypeVpc
    VPC
    FlowLogResourceTypeTransitGateway
    TransitGateway
    FlowLogResourceTypeTransitGatewayAttachment
    TransitGatewayAttachment
    NetworkInterface
    NetworkInterface
    Subnet
    Subnet
    Vpc
    VPC
    TransitGateway
    TransitGateway
    TransitGatewayAttachment
    TransitGatewayAttachment
    NetworkInterface
    NetworkInterface
    Subnet
    Subnet
    Vpc
    VPC
    TransitGateway
    TransitGateway
    TransitGatewayAttachment
    TransitGatewayAttachment
    NETWORK_INTERFACE
    NetworkInterface
    SUBNET
    Subnet
    VPC
    VPC
    TRANSIT_GATEWAY
    TransitGateway
    TRANSIT_GATEWAY_ATTACHMENT
    TransitGatewayAttachment
    "NetworkInterface"
    NetworkInterface
    "Subnet"
    Subnet
    "VPC"
    VPC
    "TransitGateway"
    TransitGateway
    "TransitGatewayAttachment"
    TransitGatewayAttachment

    FlowLogTrafficType, FlowLogTrafficTypeArgs

    Accept
    ACCEPT
    All
    ALL
    Reject
    REJECT
    FlowLogTrafficTypeAccept
    ACCEPT
    FlowLogTrafficTypeAll
    ALL
    FlowLogTrafficTypeReject
    REJECT
    Accept
    ACCEPT
    All
    ALL
    Reject
    REJECT
    Accept
    ACCEPT
    All
    ALL
    Reject
    REJECT
    ACCEPT
    ACCEPT
    ALL
    ALL
    REJECT
    REJECT
    "ACCEPT"
    ACCEPT
    "ALL"
    ALL
    "REJECT"
    REJECT

    Tag, TagArgs

    Key string
    The key name of the tag
    Value string
    The value of the tag
    Key string
    The key name of the tag
    Value string
    The value of the tag
    key String
    The key name of the tag
    value String
    The value of the tag
    key string
    The key name of the tag
    value string
    The value of the tag
    key str
    The key name of the tag
    value str
    The value of the tag
    key String
    The key name of the tag
    value String
    The value of the tag

    Package Details

    Repository
    AWS Native pulumi/pulumi-aws-native
    License
    Apache-2.0
    aws-native logo

    We recommend new projects start with resources from the AWS provider.

    AWS Cloud Control v1.27.0 published on Monday, Apr 14, 2025 by Pulumi
    pulumi/pulumi-aws-native