0PricingLogin
AWS Security Academy · Lesson

Reading Flow Log Records and Fields

Decode source, destination, ports, and the accept or reject action.

Anatomy of a Record

A flow log record is a single line describing traffic for one connection during the aggregation interval. The default format is a fixed sequence of space-separated fields. Learning to read this line quickly is a core skill for any network investigation on AWS.

The Five-Tuple

The heart of a record is the five-tuple: source address, destination address, source port, destination port, and protocol number. This uniquely identifies a conversation. Protocol 6 is TCP and 17 is UDP. Together these fields tell you exactly which endpoints were talking and over what service.

2 111122223333 eni-0abc 10.0.1.5 10.0.2.9 49152 443 6 12 6000 1620140761 1620140821 ACCEPT OK

All lessons in this course

  1. What VPC Flow Logs Capture
  2. Reading Flow Log Records and Fields
  3. Flow Logs at VPC, Subnet, and ENI Levels
  4. Spotting Suspicious Traffic in Flow Logs
← Back to AWS Security Academy