Configuration
AWS Flow Logs Configuration
This page explains how to configure the Coordimap agent to ingest AWS VPC Flow Logs from S3.
The key identity rule is the same as for the AWS infrastructure crawler: use the AWS account ID as scope_id. If the flow logs data source and the AWS infrastructure data source use different scope_id values, Coordimap cannot attach the telemetry cleanly to the right assets.
The current agent example config also includes account_id for the AWS Flow Logs crawler. In practice, keep account_id aligned with the same AWS account you use for scope_id.
Prerequisites
Make sure you have already installed or deployed the Coordimap agent.
Enable flow logs in at least one VPC
Before this configuration can work, enable VPC Flow Logs for at least one VPC and send them to S3. Follow the setup guide here: AWS Flow Logs To S3.
Find The Correct scope_id
Use the AWS account ID:
aws sts get-caller-identity --query Account --output textReuse the same account-level scope_id as your main AWS crawler.
Configuration File
coordimap:
api_key: ${COORDIMAP_API_KEY}
data_sources:
- type: aws_flow_logs
data_source_id: <YOUR_DATASOURCE_ID_FROM_UI>
config:
- name: scope_id
value: "<AWS_ACCOUNT_ID>"
- name: log_format
value: "all"
- name: log_type
value: "S3"
- name: account_id
value: "<AWS_ACCOUNT_ID>"
- name: bucket_name
value: "your-s3-bucket-name"
- name: region
value: "eu-central-1"
- name: access_key_id
value: ${AWS_ACCESS_KEY_ID}
- name: secret_access_key
value: ${AWS_SECRET_ACCESS_KEY}
- name: crawl_interval
value: "5m"Configuration Options
Prop
Type
Related Reading
eBPF Flows Configuration
Configure the Coordimap eBPF flows datasource to capture runtime network traffic with interface selection, deployment mode, external mappings, and crawl intervals.
Send AWS VPC Flow Logs To S3
Configure AWS VPC Flow Logs delivery to Amazon S3 so the Coordimap AWS Flow Logs crawler can ingest network telemetry with the correct account scope_id.