Cloud Device Configuration: AWS VPC Flow Export


1.Log in to the Seceon GUI as Administrator.

2.Go to Provisioning>Cloud Device Configuration.

3.Click Add Button. You will see a window as:

4. Choose “AWS Flows“ in the Cloud Log Devices.

5. Enter the details obtained as below:

a) AWS Access Key ID and Secret Access Key

  • Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.


    If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, choose Sign-in using root user credentials near the bottom of the page to return to the main sign-in page. From there, you can enter your AWS account email address and password.

  • Choose your account name in the navigation bar, and then choose My Security Credentials.

  • If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  • Expand the Access keys (access key ID and secret access key) section.

  • Then do the following:

    To create an access key

    Choose Create New Access Key. If this feature is disabled, then you must delete one of the existing access keys before you can create a new key. For more information, see IAM Entity Object Limits in the IAM User Guide.

    A warning explains that you have only this one opportunity to view or download the secret access key. It cannot be retrieved later.

    • Choose Show Access Key to copy the access key ID and secret key from your browser window and paste it with you, to be configured in Seceon GUI.

b)AWS Region

Applicable for your AWS instance.

c) AWS Log Storage Location

Based on your log storage location in use, you can choose from S3 Bucket and Cloud Watch logs.

d) AWS S3 Bucket name

Valid if you have “S3” chosen in option c)AWS Log Storage Option.

e) Destination Log Group

Valid if you have “Cloudwatch“ chosen in option c)AWS Log Storage Option.


Please enter the IP of Seceon Collector(Collection and Control Engine).

Enabling VPC Flow Logs

For enabling VPC Flow logs, you need IAM Role that can publish flow logs to the CloudWatch. To do so follow the documentation at

In case the VPC Flows are not enabled, you can enable VPC Flow Logs from the AWS Management Console or the AWS Command Line Interface (CLI), or by making calls to the EC2 API. Here’s how you would enable them for a VPC:

This will display the Create Flow Log wizard. In Log record format, choose custom format and add the following fields in the following order

  • version

  • account-id

  • interface-id

  • srcaddr

  • dstaddr

  • srcport

  • dstport

  • protocol

  • packets

  • bytes

  • start

  • end

  • action

  • log-status

  • tcp-flags


New Flow Logs will appear in the Flow Logs tab of the VPC dashboard.

The Flow Logs are saved into log groups in CloudWatch Logs. The log group will be created approximately 15 minutes after you create a new Flow Log. You can access them via the CloudWatch Logs dashboard.

Each group will contain a separate stream for each Elastic Network Interface (ENI):

Each stream, in turn, contains a series of flow log records:

Go With the Flow
Here are a couple of things to keep in mind when you use VPC Flow Logs.

Flows are collected, processed, and stored in capture windows that are approximately 10 minutes long. The log group will be created and the first flow records will become visible in the console about 15 minutes after you create the Flow Log.

You can create up to two Flow Logs on one resource.

The Flow Logs will not include any of the following traffic:

  1. Traffic to Amazon DNS servers, including queries for private hosted zones.

  2. Windows license activation traffic for licenses provided by Amazon.

  3. Requests for instance metadata.

  4. DHCP requests or responses.

Reference links: