Amazon VPC Flow Logs Challenge


  1. Good knowledge of AWS services
    • Amazon VPC and its components
    • Amazon CloudWatch
    • Amazon EC2 Instances
  2. Laptop
  3. Internet Browser
  4. Internet connection

Challenge Instructions

  1. Region : Make sure to use us-east-1 region to create all the resources.
  2. You will be provided with the requirements of the challenge. If you are new to AWS Cloud, we recommend you go through our hands-on Labs before taking this challenge.
  3. Challenge Duration60 minutes

How to submit the challenge

  1. After building the infrastructure, click on Validate button, to validate if you have built the required infrastructure and completed the challenge successfully.
  2. Validation status
    • Success - You have completed the challenge successfully.
    • Failed - You have failed to complete the challenge.
  3. Once you have successfully validated the challenge, click on End Lab.

Cloud Challenge Details

In this lab challenge, your Amazon VPC and VPC Flow Logs skills are put to the test. You'll be given a requirement and you have to reach it using your knowledge of AWS VPC and other AWS services relevant to working with VPC Flow Logs and CloudWatch logs. The Lab Challenge helps you understand the real-time scenarios.

A company XYZ is deploying a new web application. As a part of the infrastructure, they need to look for logs to confirm if everything is working fine in their Testing Environment. Now your challenge is to generate logs through SSH on EC2 Instances and put them in CloudWatch logs.

  1. Create a CloudWatch Log Group. Once the traffic is generated and logs are processed by EC2 Instances. It will be visible here.

  2. Create VPC and Subnets. For this lab, you will not use the default VPC present in the account, rather you will create a custom VPC and a subnet for the custom VPC.

  3. Create an Internet Gateway and attach it to the Custom VPC. Internet gateway will help you get access to the Internet only after adding its routes in the Route table.

  4. Add as a route to your default route table of Custom VPC. By completing this step, the EC2 Instances launched with this VPC can access the Internet. Make sure to enable Auto-assign public IP, either in the Subnet settings or while configuring the EC2 Instance.

  5. Create an IAM role with a new policy mentioned in the Resources section below. Then, update the trust policy by changing the service name to vpc-flow-logs.

  6. Create VPC Flow logs using CloudWatch Logs as a destination, Select IAM Role as newly created role, and keep the maximum aggregation interval to 1 minute, else you may have to wait for 10-minute for logs to be visible in CloudWatch logs.

  7. Launch an EC2 Instance having Amazon Linux 2 as AMI, t2.micro as Instance type, Newly created VPC as Network, and enable the Auto-assign Public IP and Create a Key pair of type RSA required for SSH.

  8. SSH into EC2 Instance using Key pair and run some sample commands, to generate traffic.

  9. View the logs generated by EC2 Instance in the CloudWatch Logs group.

  10. Click on Validate to complete the challenge.