- VPC Flow Logs monitor the in-and-out traffic of your network INterfaces within your PC
- You can turn on FLow logs at the VPC, Subnet or Network Interface level
- VPC FLow logs cannot be tagged like other AWS resources
- You cannot change the configuration of a flow log after it's created
- You cannot enable flow logs for VPCs which are peered with your VPC unless it is in the same account
- VPC FLow logs can be delivered to an S3 or CLoudWatch Logs
- VPC Flow logs contains the source and destination IP addresses (not hostnames)
- Some instance traffic is not monitored :
- Instance traffic generated by contacting the AWS DNS servers
- Windows license activation traffic from instances
- Traffic to and from the instance metadta address (169.254.169.254)
- DHCP Traffic
- Any Traffic to the reserved IP address of the default VPC router