Coordimap
ConfigurationAWS Flow Logs

Send AWS VPC Flow Logs To S3

This guide explains how to configure AWS VPC Flow Logs so they are written to Amazon S3 and can be ingested by the Coordimap AWS Flow Logs crawler.

Use this together with:

Why This Matters

Coordimap can only attach AWS flow telemetry cleanly when the log source and the AWS infrastructure crawler both describe the same AWS account identity. In practice, that means:

  • the AWS crawler should use the AWS account ID as scope_id
  • the AWS Flow Logs crawler should reuse the same AWS account ID as scope_id
  • the flow log delivery itself should come from that same account

What AWS VPC Flow Logs Produce

AWS VPC Flow Logs collect IP traffic records, aggregate them, and publish log files to S3 on a recurring basis. Those files become the input for the Coordimap AWS Flow Logs crawler.

IAM Permissions To Create Log Delivery

The AWS principal creating the flow log needs permissions such as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["logs:CreateLogDelivery", "logs:DeleteLogDelivery"],
      "Resource": "*"
    }
  ]
}

S3 Bucket Policy For Flow Log Delivery

The S3 bucket must allow AWS log delivery to write objects into it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": { "Service": "delivery.logs.amazonaws.com" },
      "Action": "s3:PutObject",
      "Resource": "my-s3-arn",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceAccount": "account_id"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:logs:region:account_id:*"
        }
      }
    },
    {
      "Sid": "AWSLogDeliveryCheck",
      "Effect": "Allow",
      "Principal": { "Service": "delivery.logs.amazonaws.com" },
      "Action": ["s3:GetBucketAcl", "s3:ListBucket"],
      "Resource": "arn:aws:s3:::bucket_name",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account_id"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:logs:region:account_id:*"
        }
      }
    }
  ]
}

Replace these placeholders:

  • my-s3-arn: ARN of the target S3 bucket or prefix
  • account_id: AWS account ID
  • region: AWS region or *
  • bucket_name: target S3 bucket name

Create The Flow Log In AWS

  1. Open the Amazon VPC console.
  2. Select the target VPC.
  3. Choose Create flow log.
  4. Set Filter to All.
  5. Set Destination to S3.
  6. Enter the S3 bucket ARN.
  7. For Log record format, choose Custom and include all fields.
  8. Create the flow log.

Coordimap-Specific Guidance

When you configure the Coordimap AWS Flow Logs crawler, keep these values aligned:

  • scope_id: AWS account ID
  • account_id: AWS account ID
  • main AWS crawler scope_id: same AWS account ID

If those values diverge, Coordimap will ingest the logs, but the resulting relationships may not attach to the intended AWS assets.

Configuration

Configure the Coordimap AWS Flow Logs data source with the right scope_id, S3 log settings, AWS credentials, and crawl intervals for network flow ingestion.

Kubernetes Configuration

Configure Coordimap to crawl Kubernetes clusters with the correct scope_id, in-cluster or kubeconfig access, crawl intervals, and optional Retina flow telemetry.

On this page

Why This MattersWhat AWS VPC Flow Logs ProduceIAM Permissions To Create Log DeliveryS3 Bucket Policy For Flow Log DeliveryCreate The Flow Log In AWSCoordimap-Specific Guidance