Configure Flow Logs

Prisma Cloud ingests the VPC flow logs from Amazon S3 buckets stored in a logging account and makes it available for network policy alerting and visualization. While onboarding your AWS account, you need to onboard the logging account which has the S3 bucket storing VPC flow logs for the monitored account. The default retention period of flow logs is 30 days after which they are purged. You can query flow logs data for the last 30 days. Cloudwatch is the default selection to ingest flow logs and does not require additional configuration.
If you onboarded new AWS accounts after December 8, 2022 or moved existing accounts to S3 based ingestion for flow logs, you need to create a new flow log setting with the hourly (60 minutes) partition, which provides better ingestion performance than the existing 24 hours partition. Selecting additional fields on the AWS console which are used in the Internet exposure calculation in network policies address the false positives for those network policies.
When creating S3 flow logs on the AWS console, make sure to partition your flow logs for
Every 1 hour (60 minutes)
. Prisma Cloud will support the 24 hours partition timeframe till March 15, 2023.
  1. On your AWS console, create a flow log with the following specifications:
    1. The new flow logs format requires all connection direction related fields. Here’s a sample format:
    2. Select all
      instead of manually selecting each field. You can choose custom format and select the required fields.
      The required fields that you need to select are:
      • account-id
      • action
      • interface-id
      • srcaddr
      • dstaddr
      • srcport
      • dstport
      • protocol
      • packets
      • bytes
      • start
      • end
      • log-status
      • region
      • version
      • tcp-flags
      • flow-direction
      • traffic-path
      • vpc-id
      • subnet-id
      • instance-id
      • pkt-srcaddr
      • pkt-dstaddr
      • pkt-src-aws-service
      • pkt-dst-aws-service
    3. Set
      Partition logs by time
      Every 1 hour (60 minutes)
    4. Set
      Log file format
      . Prisma Cloud supports ingestion of only text format files.
  2. You are not required to change anything on Prisma Cloud as long as the S3 bucket does not change.

Onboarded Accounts that Use S3

For your previously onboarded AWS accounts that are using S3 with 24 hours partition, you can now select hourly partition. Prisma Cloud checks whether flow logs have all the necessary permissions required for hourly partition (it does not check for the fields).
  1. Onboard your AWS account.
  2. Onboard logging account and buckets to fetch flow logs from S3.
    1. Click
      Edit Cloud Account
    2. Select
      Flow Logs
      dropdown to configure flow logs from S3.
    3. Configure
    4. Select from the logging accounts displayed or
      Add Logging Account
    5. To
      Configure Logging Account
      enter an
      Account ID
      Account Name
      , and
      Role Name
      . By default, the role name is
      , which you can customize.
      All the configured Logging Accounts are displayed. You can select one of these Logging Accounts which contains the S3 bucket to which the VPC flow logs are being sent for the respective monitored account. Or you can
      a new Logging Account as described in Step 3 above.
    6. Select from the buckets displayed or
      Add Bucket
    7. To
      Configure Buckets
      enter a
      Bucket Name
      and the
      Bucket Region
      that you have configured as destination for flow logs on the AWS Logging Account VPC Console. The
      Bucket Path Prefix
      (comma separated list) and
      Key ARN
      are optional. If you have any specific path (Bucket Path) prefix for flow logs and configured bucket encryption (Key ARN), you can enter those values.
      If you’ve enabled hourly partitions, the files are published to the following location: bucket-and-optional-prefix/AWSLogs/account_id/vpcflowlogs/region/year/month/day/hour/
      In AWS, the bucket-and-optional-prefix is added to the S3 bucket ARN as a folder in the flow log settings page. Make sure you add the same bucket-and-optional-prefix in the prefix section in Prisma Cloud.
  3. You can
    multiple buckets used for logging.
    1. Follow the steps displayed on
      Logging Account Template
      , enter the
      Role ARN
      , and
      . You can proceed further only if the validation is successful and you see a green
      The CFT template is deployed on the Logging Account through your AWS Management Console.
    2. In
      Configure S3 Flowlogs
      , select all the applicable
      Logging Buckets
      that Prisma Cloud can access and ingest flow logs from.
      When creating S3 Flow logs on the AWS console, make sure to partition your flow logs for
      Every 1 hour (60 minutes)
      . Prisma Cloud will support the
      Every 24 hours
      partition timeframe till March 15, 2023.
    3. After selecting the Logging Buckets,
      to make sure Prisma Cloud has all basic required permissions and access.
      If all the required permissions are present, a
      checkmark displays. If not, an error message displays.
      If you want to configure a different logging account and buckets, click the
    4. Save
      Save your settings, regardless of the validation status.
      For accounts that are using Cloudwatch and now you want to upgrade to S3, the
      Enable Hourly Partition
      checkbox is enabled (grayed out) by default to ensure it is using hourly partition.
      If you previously set Cloudwatch and want to fetch flow logs from S3 for an already onboarded AWS account, go to
      Cloud Accounts
      , click the edit icon corresponding to that AWS account, select
      from the
      Flow Logs
      dropdown, click
      , and continue from Step 2.4 above.

Recommended For You