What could be blocking the VPC flow logs from being published to CloudWatch Logs?
The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission
The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission
The VPC is configured for IPv6 addresses
The VPC is peered with another VPC in the AWS account
Explanations:
The IAM policy attached to the IAM role for the flow log must include thelogs:CreateLogGrouppermission to create a log group in CloudWatch Logs. Without this permission, the flow logs cannot be published, resulting in no logs appearing in CloudWatch.
Thelogs:CreateExportTaskpermission is not required for VPC flow logs to be published to CloudWatch Logs. This permission is related to exporting log data rather than creating or publishing logs.
The configuration of the VPC for IPv6 addresses does not block flow logs from being published to CloudWatch Logs. Flow logs can capture both IPv4 and IPv6 traffic without any issues related to address type.
Peering a VPC with another VPC in the same AWS account does not block the publishing of flow logs to CloudWatch Logs. Flow logs can still be generated and published for traffic within a peered VPC.
I infer that the answer is:
The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission
As I see it, the answer is:
The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission