How can I resolve an “Access Error” after configuring my VPC flow log?

Last updated: 2022-03-31

I'm receiving the following error message after configuring my VPC flow log:

"Access Error. The IAM role for your flow logs does not have sufficient permissions to send logs to the CloudWatch log group."

How can I resolve this?

Short description

The following are common reasons for this error:

  • The Identity and Access Management (IAM) role for your flow log doesn't have sufficient permissions to publish flow log records to the Amazon CloudWatch log group.
  • The IAM role doesn't have a trust relationship with the flow logs service.
  • The trust relationship doesn't specify the flow logs service as the principal.

Resolution

The IAM role for your flow log doesn't have sufficient permissions to publish flow log records to the CloudWatch log group

The IAM role that's associated with your flow log must have sufficient permissions to publish flow logs to the specified log group in CloudWatch Logs. The IAM role must belong to your AWS account.

{
 "Version":"2012-10-17"
 "Statement": [
  {
   "Effect":"Allow",
   "Action": [
    "logs:CreateLogGroup",
    "logs:CreateLogStream",
    "logs:PutLogEvents",
    "logs:DescribeLogGroups",
    "logs:DescribeLogStreams"
   ],
   "Resource":"*"
  }
 ]
}

The IAM role doesn't have a trust relationship with the flow logs service

Make sure that your role has a trust relationship that allows the flow logs service to assume the role.

1.    Log into the IAM console.

2.    Select Roles.

3.    Select VPC-Flow-Logs.    

4.    Select Trust relationships.

5.    Select Edit trust policy.

6.    Delete the current code in this section, and then paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

7.    Select Update policy.

Trust relationships give you control over what services are allowed to assume roles. In the preceding example, the relationship allows the VPC flow logs service to assume the role.

The trust relationship doesn't specify the flow logs service as the Principal

Make sure that the trust relationship specifies the flow logs service as the Principal, as shown in the following example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Did this article help?


Do you need billing or technical support?