AWS VPC Flow Logs Input Configuration

Prerequisites

AWS VPC flow logs are generated by an ENI - network interface - in your VPC, whether it is attached to an EC2 instance, a service, or even to a task in AWS Forgate.

NetFlow Optimizer and EDFN support ingestion of VPC Flow Logs from both, S3 and CloudWatch. One NFO instance can ingest VPC Flow Logs from S3 for certain VPCs and at the same time receive VPC Flow Logs from CloudWatch for other VPCs in your AWS environment.

important

You have two choices to access AWS and ingest VPC Flow Logs: using IAM Role or using AWS account.

• Using IAM Roles: Use this option if your NFO/EDFN is installed on an EC2 instance
• Using AWS User: Use this option if your NFO/EDFN is installed on premises or outside of your AWS cloud

Configuration Steps

1. Configure AWS VPC Flow Logs
2. Configure AWS User and Policy
3. Configure EDFN Agent for ingestion of AWS VPC Flow Logs
4. Enable and Configure NFO Modules for AWS VPC Flow Logs reporting

Configure AWS VPC Flow Logs

To publish VPC Flow Logs to S3 visit: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html.

To publish VPC Flow Logs to CloudWatch Logs visit: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html.

Kinesis Stream Configuration

When VPC Flow logs are stored in the CloudWatch Logs, NFO can receive them using CWL API, or, subscribe to a Kinesis stream.

There are two ways to configure logs publishing to a Kinesis stream:

• use CloudFormation template or
• manually create required resources using Amazon console and CLI

CloudFormation

Logs group and Kinesis stream may be created using CloudFormation per region. Download the CloudFormation templates from here: https://nfo-ami.s3.us-west-2.amazonaws.com/2.10.0/NFOCwlKinesisSubscription.template

Create a stack using the template. Open the Amazon CloudFormation console https://console.aws.amazon.com/cloudformation/home and create a stack following these instructions https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html.

During the stack creation, the following parameters may be changed:

• CloudWatch Logs group: Logs retention period in days (default 30 days)
• Kinesis stream: Data retention period in hours (default 24 hours, min 24 hours, max 168 hours)
• Kinesis stream: Number of shards (default 1)

The CloudFormation template automatically creates the following resources:

• NFLVpcFlowLogRole_<stack_name>_<region_id> – the IAM role for publishing Flow Logs to CloudWatch Logs.
• NFLCwlToKinesisRole_<stack_name>_<region_id> – the IAM role for publishing Flow logs from CloudWatch Logs group to a Kinesis Stream.
• NFLVpcFlowLogGroup_<stack_name>_<region_id> – the CloudWatch Logs group for Flow Logs.
• NFLVpcKinesisStream_<stack_name>_<region_id> – Kinesis Stream.
• NFLVpcFlowLogsSubscriptionFilter – the CloudWatch Logs group NFLVpcFlowLogGroup subscription filter. All Flow Logs are published to the Kinesis Stream NFLVpcKinesisStream.

Where <stack_name> is substituted as a CloudFormation stack name and <region_id> as a current region ID.

After that you only have to create VPC Flow Logs for your VPCs, subnets, or network interfaces (see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log for details).

Select NFLVpcFlowLogGroup_<stack_name>_<region_id> as the destination and NFLVpcFlowLogRole_<stack_name>_<region_id> as the IAM role.

Amazon Console

If the CloudFormation template isn’t suitable for you, all these resources can be created using the Amazon console or CLI. For example, you may want to collect Flow Logs from several Amazon accounts in one Kinesis Stream and so on.

1. Create an IAM role for publishing Flow Logs to CloudWatch Logs (see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-iam for details).

2. Create a Flow Log that publishes to CloudWatch Logs (see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log for details).

3. Configure Kinesis Stream.

   The EDFN agent is working as a Kinesis steam consumer, and it can be with or without Enhanced Fan-Out, see Reading Data from Amazon Kinesis Data Streams https://docs.aws.amazon.com/streams/latest/dev/building-consumers.html for details.

   If you decide not to use Enhanced fan-out, you may deregister the consumer EDFN_KINESIS_VPC_FLOW_LOG_CONSUMER manually. To do this, please navigate to AWS console - Services - Kinesis - Data Streams, then select your stream(s), open the Enhanced fan-out tab, and deregister EDFN_* consumer.

   Also, if you decide to use CloudWatch Logs API instead of Kinesis stream consumer, you may remove unused streams too.

4. Create CloudWatch Logs Kinesis subscription filter. After that CloudWatch log group will publish VPC Flow Logs to the Kinesis stream.

   The subscription can be created using CLI (see Subscription Filters with Kinesis https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#DestinationKinesisExample for details). On step 7 the filter-pattern parameter may be left "" (empty string). To create the subscription using AWS console:

   1. Create IAM Role with the following policy:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": "kinesis:PutRecord",
               "Resource": "kinesis-stream-arn",
               "Effect": "Allow"
           },
           {
               "Action": "iam:PassRole",
               "Resource": "iam-role-arn",
               "Effect": "Allow"
           }
       ]
   }
   2. Navigate CloudWatch Log groups and select log group for streaming.
   3. Open "Subscription filters" tab and select "Create Kinesis subscription filter".
   4. On the opened form enter Kinesis stream, IAM Role, filter name and you may select Log format "Amazon VPC Flow Logs"
   5. Click "Start streaming" button

note

Enhanced fan-out consumers may result in additional charges from AWS.

S3 and SQS Configuration

VPC Flow logs may be sent to an S3 bucket. For more information visit Publishing Flow Logs to Amazon S3 https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html. The EDFN agent doesn’t monitor the S3 bucket for new object creation directly. It assumes that the S3 bucket sends “s3:ObjectCreated:*” notifications to the Simple Queue Service (SQS).

There are two ways to configure S3 bucket and SQS:

• use CloudFormation template
• manually create required resources using Amazon console or CLI

CloudFormation

All required resources may be created using Amazon CloudFormation template. The CloudFormation template is available here: https://nfo-ami.s3.us-west-2.amazonaws.com/2.10.0/nfo_aws_s3_sqs_template.json

Create a stack using the template. Open Amazon CloudFormation console and create the stack following these instructions: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html

1. Navigate to CloudFormation, select Stacks in the left panel.
2. Click “Create stack” and select “With new resources (standard).
3. Enter Amazon S3 URL or upload the template.
4. Enter the stack name.
5. Enter custom parameters:
   1. Policy name – IAM policy name for EDFN agent, this is the optional parameter and may be left empty. For example, when S3/SQS is configured in several regions you need to create a single policy.
   2. Role name – IAM role name for EC2 instance where NFO/EDFN is installed. This is also the optional parameter and may be left empty.
   3. S3 bucket name – name of the bucket to which VPC flow logs will be published.
   4. SQS name – name of the queue to which bucket object creation events will be published.
6. Click next.
7. Validate options on the opened page and then click next.
8. Review and submit.

After these steps CloudFormation creates from 2 to 4 resources: S3 bucket, SQS queue, IAM policy, and IAM role. IAM policy and role have deletion policy RetainExceptOnCreate, so please remove them manually when you will not need them anymore. S3 bucket also cannot be removed if it is not empty.

Finally, you only have to create VPC Flow Logs for your VPCs, subnets, or network interfaces (see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html for details) and enter S3 bucket ARN as the destination. ARN can be copied from the bucket Properties page or it is also available on the Output tab of the stack.

Amazon Console

If the CloudFormation template doesn't work for you, you have the option to create all these resources using the Amazon console or CLI.

note

EDFN agent expects that the queue account has access to “s3:GetObject” action. The S3 bucket region and SQS region must be the same.

To configure SQS:

1. Sign in to the Amazon SQS console https://console.aws.amazon.com/sqs/.
2. Change the region to the S3 bucket’s region.
3. Choose Create New Queue.
4. Enter the Queue name.
5. Leave Standard queue selected.
6. Choose Configure Queue.
7. Change Receive Message Wait Time from 0 to 20 seconds.
8. Choose Create Queue.

When the queue is created, add permission to the queue allows the S3 bucket to send messages to it:

{
 "Version": "2012-10-17",
 "Id": "QUEUE-PERMISSION-POLICY-ID",
 "Statement": [
  {
   "Sid": "STATEMENT-ID",
   "Effect": "Allow",
   "Principal": {
     "AWS": "*"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "arn:aws:sqs:REGION:ACCOUNT-ID:QUEUE-NAME",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:BUCKET-NAME" }
   }
  }
 ]
} 

When the queue permissions are configured, add S3 bucket notifications:

1. Sign in to the Amazon S3 console https://console.aws.amazon.com/s3/.
2. Select the bucket and choose Properties.
3. Choose events and press Add notification.
4. Enter the event name.
5. In the Events section, select All object create events.
6. Optionally enter prefix and suffix. For example, suffix may be “.log.gz”.
7. Choose the SQS destination and select your queue name or enter the queue ARN. The SQS and bucket region must be the same.
8. Choose Save.

Configure AWS User and Policy

You have two choices to configure EDFN Agent to access AWS and ingest VPC Flow Logs: using IAM Role or using AWS account. In both cases you need to create an AWS Permissions Policy - see below.

Using IAM Roles

Use this option if your NFO/EDFN is installed on an EC2 instance. Make sure that an appropriate IAM role is attached to the EC2 instance running EDFN.

"AWS Credentials" tab MUST be empty for IAM roles authentication.

Using AWS User

Use this option if your NFO/EDFN is installed on premises or outside of your AWS cloud. This method requires an access key, a secret access key and optionally default region.

AWS Permissions Policy

Create an IAM Policy to allow the EDFN Agent to access AWS resources. The policy can be created automatically when the CloudFormation template is used for S3/SQS configuration. To create such a policy, open the IAM console, navigate to the Policies page and press the Create Policy button. Then select the JSON tab and insert the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EdfnMinPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions",
                "ec2:DescribeInstances",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "ec2:DescribeNatGateways",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeRouteTables",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:SearchTransitGatewayRoutes",
                "logs:DescribeSubscriptionFilters",
                "logs:GetLogEvents",
                "logs:DescribeLogStreams"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3Permissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:GetObject",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ChangeMessageVisibility*",
                "sqs:DeleteMessage*",
                "sqs:ReceiveMessage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KCLPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:DeleteItem",
                "dynamodb:UpdateItem",
                "dynamodb:Scan",
                "kinesis:GetRecords",
                "kinesis:GetShardIterator",
                "kinesis:ListShards",
                "kinesis:ListStreamConsumers",
                "kinesis:SubscribeToShard",
                "kinesis:DescribeStream*",
                "kinesis:RegisterStreamConsumer"
            ],
            "Resource": "*"
        }
    ]
}

IAM Roles Configuration

When EDFN is installed on the EC2 instance, AWS access for IAM role configuration (the role can be created automatically when the CloudFormation template is used for S3/SQS configuration) can be configured using the following steps:

1. Open the IAM console https://console.aws.amazon.com/iam/home.
2. In the navigation pane, choose Roles, then Create New Role.
3. On the Select Role Type page, under AWS Service Roles, choose Amazon EC2.
4. On the Permissions page, choose the already created policy EdfnAgentPolicy from the policy list or create a new one with permissions from the previous section, then choose Next Step.
5. Enter a name for the role, and then select Next Step.
6. On the Review page, choose Create Role.
7. Launch an Amazon EC2 instance with the IAM role that you’ve created previously:
   1. Open the Amazon EC2 console
   2. Go to the Instances page
   3. Select the instance, then Actions, Instance Settings, and Attach/Replace IAM Role.

NFO may collect flow logs from different accounts using the “Switch Role” action. For detailed information, visit Delegate Access Across AWS Accounts Using IAM Roles https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html. The EC2 Instance assumes the IAM role from another account and thus has access to resources in this account. The assumed role must have permissions from the EdfnAgentPolicy policy.

For example, if your NFO is installed in the account 111111111111 and the second account is 999999999999, access delegation may be configured using the following steps for account 999999999999:

1. Open the IAM console: https://console.aws.amazon.com/iam/home
2. In the navigation pane on the left, choose Roles and then choose Create role.
3. Choose the Another AWS account role type.
4. For Account ID, type first the account ID: 111111111111
5. Optionally type External ID (must be unique across assumed accounts) or leave it blank.
6. Choose Next: Permissions, to set the permissions that will be associated with the role.
7. Select EdfnAgentPolicy.
8. Then choose Next: Tags.
9. Choose Next: Review and type the role name.
10. After reviewing the role, choose Create role.
11. Open the just created role and copy the role ARN.

After that, configure the EC2 Instance Role permission, for account 111111111111 by doing the following steps:

1. Open the IAM console: https://console.aws.amazon.com/iam/home

2. In the navigation pane on the left, choose Roles and then choose your EC2 Instance role.

3. Choose the Permissions tab and click + Add inline policy.

4. Insert the following JSON policy (don’t forget to replace role ARN):

5. Choose Review policy and then type the policy name.

   {
       "Version": "2012-10-17",
       "Statement": {
           "Effect": "Allow",
           "Action": "sts:AssumeRole",
           "Resource": "arn:aws:iam::999999999999:role/YourRoleName"
       }
   }

6. After reviewing the policy, choose Create policy.

   After that, the EC2 instance role in the account 111111111111 has access to some of account’s 999999999999 resources. You only have to add the assumed role ARN, and optionally, external ID to the EDFN agent’s “IAM Roles” configuration list.

After that, the EC2 instance role in the account 111111111111 has access to some of account’s 999999999999 resources. You only have to add the assumed role ARN, and optionally, external ID to the EDFN agent’s “IAM Roles” configuration list.

IAM User Configuration

This section describes configuration, if your AWS environment is accessed using IAM user. Please perform the following steps:

1. Open AWS console
2. Navigate to Identity and Access Management (IAM)
3. Click Users in the left panel
4. Click Create user
5. Enter user name, for instance, edfn-agent
6. Select Attach policies directly
7. Find and select policy created in the section AWS Permissions Policy
8. Click next to review and finally save the user

Then you need to open the user and generate secret access key for NFO API requests. Please perform the following steps:

1. Open created user edfn-agent
2. Click Security credentials tab
3. On Access keys panel click Create access key
4. Select Other use case and click next
5. Press Create access key
6. Copy access key and Secret access key, you need these keys for AWS input configuration (via EDFN Agent)

Configure EDFN Agent

When you click on Amazon VPC Flow Logs in NFO Input summary panel you will be presented with the the following configuration screen.

On this screen you can configure the following parameters:

Settings Tab

Cron Schedule

NFO AWS VPC Flow Logs processing includes data enrichment with fields such as EC2 instance names, VPC names, Regions, Services, etc. This information is updated on cron schedule set here.

Assume Role Session Duration

Set this parameter is you use IAM Role method to access your AWS environment. The EDFN agent uses temporary credentials for AWS access. By default, the AWS temporary session has a one hour duration. If all delegated roles have a longer or shorter session duration, you can set this parameter value from 15 minutes to 12 hours.

KCL Metrics Level

Set this parameter (Kinesis Client Library metrics level) to SUMMARY or DETAILED to investigate Kinesis Stream processing problems. For more information, visit Monitoring the Kinesis Client Library with Amazon CloudWatch (https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-kcl.html).

CloudWatch Logs Request Interval

By default, VPC Flow Logs are requested every 30 seconds. Set this parameter to a frequency you want. Valid values are from 1 second to 1 day.

S3 Concurrency

This parameter is used when VPC Flow Logs are ingested from S3. It may be increased (default = 2), when S3 objects are processed too slowly. This can be verified in your AWS on queue monitoring panel (SQS console – select queue – choose Monitoring tab).

Max IPFIX Packet Size

This is NFO internal parameter – maximum IPFIX UDP message size. It is expected to be less or equals to MTU. When NFO and EDFN are installed on the same host, the parameter may be increased up to 3900 to increase processing speed.

IPFIX Records Rate Limit

This is NFO internal parameter – maximum IPFIX records per second. Default value 0 (means unlimited). If you see NFO server dropped messages (NetFlow Optimizer -> Status), this parameter could be set to another value, for example, 10000 records per second.

Set Access to your AWS Accounts

There are two alternative ways to access your AWS accounts where VPC Flow Logs are configured.

1. AWS Credentials Tab

Use this method if you have a list of independent AWS accounts. The EDFN Agent expects that each account has only one profile. On "AWS Credentials" tab add a row for each account:

Access key ID and Secret access key are mandatory.

These credentials are available here: AWS console > IAM > Users > select User name > Security credentials tab. "Profile name" and "Default region" are optional.

The EDNF agent monitors all available regions to gather information about your EC2 instances and VPCs. To retrieve the account ID and list of available regions, the agent makes API calls using “Default region”. If it isn't provided, "us-east-1" is used.

2. IAM Role Tab

Use this method if you create IAM Role to delegate access across AWS accounts. See https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html for details.

Create a list of your ARNs and optionally External IDs as follows:

arn:aws:iam::999999999999:role/Role1,
arn:aws:iam::999999999998:role/Role1,
arn:aws:iam::999999999997:role/Role2,externalID-2

and enter it here:

info

Do not enter ARN assigned to NFO instance!

Verify AWS Access and Set IPFIX Exporters

Press the “Run now” button to retrieve the list of accounts and associated VPCs (IPFIX exporters section), Kinesis Streams, CloudWatch Log groups, and S3 buckets (with associated queues).

Open the IPFIX Exporters section to review and assign an exporter IP to each VPC. This IP will be reported as exp_ip= field in syslogs. It is used for compatibility with physical network device *flow reporting in visualizations and alerting.

Enable VPC Flow Logs Input

Depending on your AWS VPC Flow Logs collection, you can enable one or more of the following configurations.

note

Please note that to avoid duplicate VPC Flow logs ingestion, the EDFN Agent for each VPC will use Kinesis Stream, if configured, before attempting to get logs from the CloudWatch Log group.

Kinesis Streams

Open the Kinesis Streams section to enable VPC Flow logs ingestion using Kinesis Streams. Set Enhanced Fan-Out option, if necessary.

To investigate Kinesis Stream processing problems, change the parameter “KCL metrics level” – Kinesis Client Library metrics level: valid values are NONE, SUMMARY and DETAILED. For more information, visit Monitoring the Kinesis Client Library with Amazon CloudWatch (https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-kcl.html).

CloudWatch Log Groups

Open the CloudWatch Log groups to enable VPC Flow logs ingestion using the CloudWatch API.

By default, VPC Flow Logs are requested every 30 seconds according to the “CloudWatchLogs request interval” parameter.

S3 and SQS

Open the “S3 and SQS” section to enable reading VPC Flow Logs from S3 using SQS messages notifications.

AWS Modules and Network Conversations Module Output Fields

The table below provides a side-by-side comparison of fields available in native VPC flow logs and NFO enriched output fields from various Modules.

VPC Flow Logs Native Fields	Enriched 20201 Output	Enriched 20267 Output	Enriched 20062 Output	Field Description
	nfc_id	nfc_id	nfc_id	Message type identifier
			flow_type	Type of flow
	exp_ip	exp_ip	exp_ip	Subnet virtual router ipv4 address
account-id	account_id	account_id	aws_account_id	AWS account ID
action	vpcflow_action	vpcflow_action	action	Accept or reject
bytes	bytes_in	bytes_in	bytes_in	Number of bytes recorded in the capture window.
dstaddr	dest_ip	dest_ip	dest_ip	Ipv4 or ipv6 of the destination.
dstport	dest_port	dest_port	dest_port	Port number of the destination.
end	flow_end_time	flow_end_time	flow_end_time	End time of the capture window in unix epoch seconds.
instance-id	aws_src_inst_id aws_dest_inst_id	aws_src_inst_id aws_dest_inst_id	aws_src_inst_id aws_dest_inst_id	Source or destination instance ID
interface-id	interface_id	interface_id	aws_interface_id	Interface ID
packets	packets_in	packets_in	packets_in	Number of packets recorded in the capture window.
pkt-dstaddr	dest_ip			The packet-level (origin) destination IP address.
pkt-srcaddr	src_ip			The packet-level (origin) source IP address.
protocol	protocol	protocol	protocol	Iana protocol number.
srcaddr	src_ip	src_ip	src_ip	Ipv4 or ipv6 address of the source.
srcport	src_port	src_port	src_port	Port number of the source
start	flow_start_time	flow_start_time	flow_start_time	Start time of the capture window in unix epoch seconds.
subnet-id	subnet_id	subnet_id		Subent ID of the interface (201 and 267 modules support this field, 62 – ignores)
tcp-flags	tcp_flag	tcp_flag	tcp_flag	TCP flags
type	vpcflow_type	vpcflow_type		Type of traffic: IPv4
vpc-id	vpc_id	vpc_id	aws_vpc_id	VPC ID
	src_inst_name	src_inst_name	src_vm_name	Name of the source instance
	dest_inst_name	dest_inst_name	dest_vm_name	Name of the destination instance
	src_ip_pub	src_ip_pub	src_ip_pub	Source EC2 instance public IPv4 address
	dest_ip_pub	dest_ip_pub	dest_ip_pub	Destination EC2 instance public IPv4 address
			src_region	Source GEO region
	src_region	src_region	src_cloud_region	Cloud source region
			dest_region	Destination GEO region
	dest_region	dest_region	dest_cloud_region	Cloud destination region
	src_service	src_service	src_cloud_service	Cloud source service
	dest_service	dest_service	dest_cloud_service	Cloud destination service
		bytes_out	bytes_out	Number of bytes in reply when client-server flows are stitched
		packets_out	packets_out	Number of packets in reply when client-server flows are stitched
			exp_name	Name of vpc flow exporter
			direction	Direction of originating flow
			threat_list_name	Name of a cybersecurity threat list
			reputation	Reputation from the treat list
			idp	User identity provider
			username	User name from login events (AD, Microsoft Entra ID, Okta, etc)
			app_id	Application ID
			app_name	Application name
			app_desc	Application description
			src_cc	Source country code
			src_city	Source city
			src_lon	Source longitude
			src_lat	Source latitude
			dest_as	Destination AS
			dest_cc	Destination country code
			dest_city	Destination city
			dest_lon	Destination longitude
			dest_lat	Destination latitude
az-id				The ID of the Availability Zone
log-status				The logging status of the flow logs, NODATA and SKIPDATA logs are ignored.
pkt-dst-aws-service				Destination AWS service
pkt-src-aws-service				Source AWS service
flow-direction				Direction
region				Region
sublocation-id				The type of sublocation
sublocation-type				The ID of sublocation
traffic-path				not supported
version				VPC flow log version. Version 2 – fixed fields, version > 3 – configurable list of fields.