The VPC Flow Logs Discipline

VPC flow logs are powerful and underused. The discipline of capturing, storing, and querying them productively.

Capture

All VPCs, all subnets. Per-flow records.

Cost: real but not large. Skipping vpcs is false economy.

Storage

Hot tier (7 days): queryable for incident response.

Warm tier (90 days): for trend analysis. Cold tier (1 year): for compliance.

Query patterns

Top sources by bytes. Top destinations by connections.

Anomaly: traffic to/from new external IPs. Sometimes a security event.