Cloud Enrichment — AWS
Enriched fields produced by this configuration are applied and available in the Network Conversations Module output.
When AWS VPC Flow Log ingestion is configured, NFO enriches flows with EC2 instance names, VPC and subnet identifiers, public IP addresses, and cloud region and service data. The EDFN agent uses the same AWS credentials configured for ingestion to retrieve this metadata. No additional access configuration is required.
Prerequisite: AWS VPC Flow Log ingestion must be configured first. See AWS VPC Flow Logs Configuration for setup instructions.
Enriched Fields
The table below lists the enrichment fields added by NFO to AWS VPC flow records. Fields marked as Built-in are populated from the Cloud Service & Region lookup and require no ingestion setup.
| Field | Source | Description |
|---|---|---|
src_cloud_service | Built-in | AWS service associated with the source IP (e.g. EC2, S3, CLOUDFRONT) |
dest_cloud_service | Built-in | AWS service associated with the destination IP |
src_cloud_region | Built-in | AWS region of the source IP (e.g. us-east-1) |
dest_cloud_region | Built-in | AWS region of the destination IP |
src_inst_name | Ingestion | Name of the source EC2 instance |
dest_inst_name | Ingestion | Name of the destination EC2 instance |
src_ip_pub | Ingestion | Public IPv4 address of the source EC2 instance |
dest_ip_pub | Ingestion | Public IPv4 address of the destination EC2 instance |
vpc_id | Ingestion | VPC ID of the flow |
subnet_id | Ingestion | Subnet ID of the network interface |
account_id | Ingestion | AWS account ID |
interface_id | Ingestion | Network interface ID (ENI) |
How Enrichment Is Updated
The EDFN agent periodically queries the AWS EC2 API to refresh its lookup of instance names, VPC names, and subnet identifiers. The refresh interval is controlled by the Cron Schedule setting in the EDFN Agent configuration for AWS VPC Flow Logs.
If instance metadata is not yet available when a flow is processed (e.g. immediately after a new instance starts), the instance name fields will be absent from that flow record and populated on the next refresh cycle.
Credential Requirements
The AWS IAM policy used for ingestion already includes the permissions needed for enrichment:
ec2:DescribeInstances: resolves instance names and tagsec2:DescribeVpcs: resolves VPC namesec2:DescribeNetworkInterfaces: resolves interface-to-instance mappingec2:DescribeNatGateways,ec2:DescribeVpcEndpoints: resolves service endpoint context
No additional IAM permissions are required beyond what the standard ingestion policy grants.