aws-cdk-lib.aws_ec2.CfnFlowLog

class CfnFlowLog (construct)

LanguageType name
.NETAmazon.CDK.AWS.EC2.CfnFlowLog
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsec2#CfnFlowLog
Javasoftware.amazon.awscdk.services.ec2.CfnFlowLog
Pythonaws_cdk.aws_ec2.CfnFlowLog
TypeScript aws-cdk-lib » aws_ec2 » CfnFlowLog

Implements IConstruct, IDependable, IInspectable

A CloudFormation AWS::EC2::FlowLog.

Specifies a VPC flow log that captures IP traffic for a specified network interface, subnet, or VPC. To view the log data, use Amazon CloudWatch Logs (CloudWatch Logs) to help troubleshoot connection issues. For example, you can use a flow log to investigate why certain traffic isn't reaching an instance, which can help you diagnose overly restrictive security group rules. For more information, see VPC Flow Logs in the Amazon VPC User Guide .

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_ec2 as ec2 } from 'aws-cdk-lib';

declare const destinationOptions: any;
const cfnFlowLog = new ec2.CfnFlowLog(this, 'MyCfnFlowLog', {
  resourceId: 'resourceId',
  resourceType: 'resourceType',

  // the properties below are optional
  deliverLogsPermissionArn: 'deliverLogsPermissionArn',
  destinationOptions: destinationOptions,
  logDestination: 'logDestination',
  logDestinationType: 'logDestinationType',
  logFormat: 'logFormat',
  logGroupName: 'logGroupName',
  maxAggregationInterval: 123,
  tags: [{
    key: 'key',
    value: 'value',
  }],
  trafficType: 'trafficType',
});

Initializer

new CfnFlowLog(scope: Construct, id: string, props: CfnFlowLogProps)

Parameters

  • scope Construct — - scope in which this resource is defined.
  • id string — - scoped id of the resource.
  • props CfnFlowLogProps — - resource properties.

Create a new AWS::EC2::FlowLog.

Construct Props

NameTypeDescription
resourceIdstringThe ID of the resource to monitor.
resourceTypestringThe type of resource to monitor.
deliverLogsPermissionArn?stringThe ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.
destinationOptions?anyThe destination options. The following options are supported:.
logDestination?stringThe destination for the flow log data. The meaning of this parameter depends on the destination type.
logDestinationType?stringThe type of destination for the flow log data.
logFormat?stringThe fields to include in the flow log record, in the order in which they should appear.
logGroupName?stringThe name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs.
maxAggregationInterval?numberThe maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
tags?CfnTag[]The tags to apply to the flow logs.
trafficType?stringThe type of traffic to monitor (accepted traffic, rejected traffic, or all traffic).

resourceId

Type: string

The ID of the resource to monitor.

For example, if the resource type is VPC , specify the ID of the VPC.


resourceType

Type: string

The type of resource to monitor.


deliverLogsPermissionArn?

Type: string (optional)

The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.

This parameter is required if the destination type is cloud-watch-logs and unsupported otherwise.


destinationOptions?

Type: any (optional)

The destination options. The following options are supported:.

  • FileFormat - The format for the flow log ( plain-text | parquet ). The default is plain-text .
  • HiveCompatiblePartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( true | false ). The default is false .
  • PerHourPartition - Indicates whether to partition the flow log per hour ( true | false ). The default is false .

logDestination?

Type: string (optional)

The destination for the flow log data. The meaning of this parameter depends on the destination type.

  • If the destination type is cloud-watch-logs , specify the ARN of a CloudWatch Logs log group. For example:

arn:aws:logs: region : account_id :log-group: my_group

Alternatively, use the LogGroupName parameter.

  • If the destination type is s3 , specify the ARN of an S3 bucket. For example:

arn:aws:s3::: my_bucket / my_subfolder /

The subfolder is optional. Note that you can't use AWSLogs as a subfolder name.

  • If the destination type is kinesis-data-firehose , specify the ARN of a Kinesis Data Firehose delivery stream. For example:

arn:aws:firehose: region : account_id :deliverystream: my_stream


logDestinationType?

Type: string (optional)

The type of destination for the flow log data.

Default: cloud-watch-logs


logFormat?

Type: string (optional)

The fields to include in the flow log record, in the order in which they should appear.

If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see Flow log records in the Amazon VPC User Guide or Transit Gateway Flow Log records in the AWS Transit Gateway Guide .

Specify the fields using the ${field-id} format, separated by spaces.


logGroupName?

Type: string (optional)

The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs.

This parameter is valid only if the destination type is cloud-watch-logs .


maxAggregationInterval?

Type: number (optional)

The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.

The possible values are 60 seconds (1 minute) or 600 seconds (10 minutes). This parameter must be 60 seconds for transit gateway resource types.

When a network interface is attached to a Nitro-based instance , the aggregation interval is always 60 seconds or less, regardless of the value that you specify.

Default: 600


tags?

Type: CfnTag[] (optional)

The tags to apply to the flow logs.


trafficType?

Type: string (optional)

The type of traffic to monitor (accepted traffic, rejected traffic, or all traffic).

This parameter is not supported for transit gateway resource types. It is required for the other resource types.

Properties

NameTypeDescription
attrIdstringThe ID of the flow log.
cfnOptionsICfnResourceOptionsOptions for this resource, such as condition, update policy etc.
cfnProperties{ [string]: any }
cfnResourceTypestringAWS resource type.
creationStackstring[]
destinationOptionsanyThe destination options. The following options are supported:.
logicalIdstringThe logical ID for this CloudFormation stack element.
nodeNodeThe tree node.
refstringReturn a string that will be resolved to a CloudFormation { Ref } for this element.
resourceIdstringThe ID of the resource to monitor.
resourceTypestringThe type of resource to monitor.
stackStackThe stack in which this element is defined.
tagsTagManagerThe tags to apply to the flow logs.
deliverLogsPermissionArn?stringThe ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.
logDestination?stringThe destination for the flow log data. The meaning of this parameter depends on the destination type.
logDestinationType?stringThe type of destination for the flow log data.
logFormat?stringThe fields to include in the flow log record, in the order in which they should appear.
logGroupName?stringThe name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs.
maxAggregationInterval?numberThe maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
trafficType?stringThe type of traffic to monitor (accepted traffic, rejected traffic, or all traffic).
static CFN_RESOURCE_TYPE_NAMEstringThe CloudFormation resource type name for this resource class.

attrId

Type: string

The ID of the flow log.

For example, fl-123456abc123abc1 .


cfnOptions

Type: ICfnResourceOptions

Options for this resource, such as condition, update policy etc.


cfnProperties

Type: { [string]: any }


cfnResourceType

Type: string

AWS resource type.


creationStack

Type: string[]


destinationOptions

Type: any

The destination options. The following options are supported:.

  • FileFormat - The format for the flow log ( plain-text | parquet ). The default is plain-text .
  • HiveCompatiblePartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( true | false ). The default is false .
  • PerHourPartition - Indicates whether to partition the flow log per hour ( true | false ). The default is false .

logicalId

Type: string

The logical ID for this CloudFormation stack element.

The logical ID of the element is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).


node

Type: Node

The tree node.


ref

Type: string

Return a string that will be resolved to a CloudFormation { Ref } for this element.

If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through Lazy.any({ produce: resource.ref }).


resourceId

Type: string

The ID of the resource to monitor.

For example, if the resource type is VPC , specify the ID of the VPC.


resourceType

Type: string

The type of resource to monitor.


stack

Type: Stack

The stack in which this element is defined.

CfnElements must be defined within a stack scope (directly or indirectly).


tags

Type: TagManager

The tags to apply to the flow logs.


deliverLogsPermissionArn?

Type: string (optional)

The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.

This parameter is required if the destination type is cloud-watch-logs and unsupported otherwise.


logDestination?

Type: string (optional)

The destination for the flow log data. The meaning of this parameter depends on the destination type.

  • If the destination type is cloud-watch-logs , specify the ARN of a CloudWatch Logs log group. For example:

arn:aws:logs: region : account_id :log-group: my_group

Alternatively, use the LogGroupName parameter.

  • If the destination type is s3 , specify the ARN of an S3 bucket. For example:

arn:aws:s3::: my_bucket / my_subfolder /

The subfolder is optional. Note that you can't use AWSLogs as a subfolder name.

  • If the destination type is kinesis-data-firehose , specify the ARN of a Kinesis Data Firehose delivery stream. For example:

arn:aws:firehose: region : account_id :deliverystream: my_stream


logDestinationType?

Type: string (optional)

The type of destination for the flow log data.

Default: cloud-watch-logs


logFormat?

Type: string (optional)

The fields to include in the flow log record, in the order in which they should appear.

If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see Flow log records in the Amazon VPC User Guide or Transit Gateway Flow Log records in the AWS Transit Gateway Guide .

Specify the fields using the ${field-id} format, separated by spaces.


logGroupName?

Type: string (optional)

The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs.

This parameter is valid only if the destination type is cloud-watch-logs .


maxAggregationInterval?

Type: number (optional)

The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.

The possible values are 60 seconds (1 minute) or 600 seconds (10 minutes). This parameter must be 60 seconds for transit gateway resource types.

When a network interface is attached to a Nitro-based instance , the aggregation interval is always 60 seconds or less, regardless of the value that you specify.

Default: 600


trafficType?

Type: string (optional)

The type of traffic to monitor (accepted traffic, rejected traffic, or all traffic).

This parameter is not supported for transit gateway resource types. It is required for the other resource types.


static CFN_RESOURCE_TYPE_NAME

Type: string

The CloudFormation resource type name for this resource class.

Methods

NameDescription
addDeletionOverride(path)Syntactic sugar for addOverride(path, undefined).
addDependency(target)Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addDependsOn(target)⚠️Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addMetadata(key, value)Add a value to the CloudFormation Resource Metadata.
addOverride(path, value)Adds an override to the synthesized CloudFormation resource.
addPropertyDeletionOverride(propertyPath)Adds an override that deletes the value of a property from the resource definition.
addPropertyOverride(propertyPath, value)Adds an override to a resource property.
applyRemovalPolicy(policy?, options?)Sets the deletion policy of the resource based on the removal policy specified.
getAtt(attributeName, typeHint?)Returns a token for an runtime attribute of this resource.
getMetadata(key)Retrieve a value value from the CloudFormation Resource Metadata.
inspect(inspector)Examines the CloudFormation resource and discloses attributes.
obtainDependencies()Retrieves an array of resources this resource depends on.
obtainResourceDependencies()Get a shallow copy of dependencies between this resource and other resources in the same stack.
overrideLogicalId(newLogicalId)Overrides the auto-generated logical ID with a specific ID.
removeDependency(target)Indicates that this resource no longer depends on another resource.
replaceDependency(target, newTarget)Replaces one dependency with another.
toString()Returns a string representation of this construct.
protected renderProperties(props)

addDeletionOverride(path)

public addDeletionOverride(path: string): void

Parameters

  • path string — The path of the value to delete.

Syntactic sugar for addOverride(path, undefined).


addDependency(target)

public addDependency(target: CfnResource): void

Parameters

  • target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.

This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.


addDependsOn(target)⚠️

public addDependsOn(target: CfnResource): void

⚠️ Deprecated: use addDependency

Parameters

  • target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.


addMetadata(key, value)

public addMetadata(key: string, value: any): void

Parameters

  • key string
  • value any

Add a value to the CloudFormation Resource Metadata.

See also: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)


addOverride(path, value)

public addOverride(path: string, value: any): void

Parameters

  • path string — - The path of the property, you can use dot notation to override values in complex types.
  • value any — - The value.

Adds an override to the synthesized CloudFormation resource.

To add a property override, either use addPropertyOverride or prefix path with "Properties." (i.e. Properties.TopicName).

If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.

To include a literal . in the property name, prefix with a \. In most programming languages you will need to write this as "\\." because the \ itself will need to be escaped.

For example,

cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');

would add the overrides

"Properties": {
  "GlobalSecondaryIndexes": [
    {
      "Projection": {
        "NonKeyAttributes": [ "myattribute" ]
        ...
      }
      ...
    },
    {
      "ProjectionType": "INCLUDE"
      ...
    },
  ]
  ...
}

The value argument to addOverride will not be processed or translated in any way. Pass raw JSON values in here with the correct capitalization for CloudFormation. If you pass CDK classes or structs, they will be rendered with lowercased key names, and CloudFormation will reject the template.


addPropertyDeletionOverride(propertyPath)

public addPropertyDeletionOverride(propertyPath: string): void

Parameters

  • propertyPath string — The path to the property.

Adds an override that deletes the value of a property from the resource definition.


addPropertyOverride(propertyPath, value)

public addPropertyOverride(propertyPath: string, value: any): void

Parameters

  • propertyPath string — The path of the property.
  • value any — The value.

Adds an override to a resource property.

Syntactic sugar for addOverride("Properties.<...>", value).


applyRemovalPolicy(policy?, options?)

public applyRemovalPolicy(policy?: RemovalPolicy, options?: RemovalPolicyOptions): void

Parameters

  • policy RemovalPolicy
  • options RemovalPolicyOptions

Sets the deletion policy of the resource based on the removal policy specified.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN). In some cases, a snapshot can be taken of the resource prior to deletion (RemovalPolicy.SNAPSHOT). A list of resources that support this policy can be found in the following link:

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options


getAtt(attributeName, typeHint?)

public getAtt(attributeName: string, typeHint?: ResolutionTypeHint): Reference

Parameters

  • attributeName string — The name of the attribute.
  • typeHint ResolutionTypeHint

Returns

  • Reference

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility in case there is no generated attribute.


getMetadata(key)

public getMetadata(key: string): any

Parameters

  • key string

Returns

  • any

Retrieve a value value from the CloudFormation Resource Metadata.

See also: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)


inspect(inspector)

public inspect(inspector: TreeInspector): void

Parameters

  • inspector TreeInspector — - tree inspector to collect and process attributes.

Examines the CloudFormation resource and discloses attributes.


obtainDependencies()

public obtainDependencies(): Stack &#124; CfnResource[]

Returns

  • Stack | CfnResource[]

Retrieves an array of resources this resource depends on.

This assembles dependencies on resources across stacks (including nested stacks) automatically.


obtainResourceDependencies()

public obtainResourceDependencies(): CfnResource[]

Returns

  • CfnResource[]

Get a shallow copy of dependencies between this resource and other resources in the same stack.


overrideLogicalId(newLogicalId)

public overrideLogicalId(newLogicalId: string): void

Parameters

  • newLogicalId string — The new logical ID to use for this stack element.

Overrides the auto-generated logical ID with a specific ID.


removeDependency(target)

public removeDependency(target: CfnResource): void

Parameters

  • target CfnResource

Indicates that this resource no longer depends on another resource.

This can be used for resources across stacks (including nested stacks) and the dependency will automatically be removed from the relevant scope.


replaceDependency(target, newTarget)

public replaceDependency(target: CfnResource, newTarget: CfnResource): void

Parameters

  • target CfnResource — The dependency to replace.
  • newTarget CfnResource — The new dependency to add.

Replaces one dependency with another.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


protected renderProperties(props)

protected renderProperties(props: { [string]: any }): { [string]: any }

Parameters

  • props { [string]: any }

Returns

  • { [string]: any }