VPC Flow Logs Not Working or Appearing [Fix]

Q: Why are my VPC Flow Logs not appearing in CloudWatch?

The most common causes: (1) the IAM role for the flow log doesn't have logs:CreateLogGroup, logs:CreateLogStream, or logs:PutLogEvents permissions; (2) the CloudWatch log group doesn't exist yet; (3) flow logs have a 10-15 minute delivery delay — they may simply not have arrived yet; (4) the flow log status is FAILED, which you can check with aws ec2 describe-flow-logs --query 'FlowLogs[*].[DeliverLogsStatus,DeliverLogsErrorMessage]'

Q: How long does it take for VPC Flow Logs to appear?

VPC Flow Logs typically appear in CloudWatch Logs within 10-15 minutes of traffic occurring. For S3 delivery, logs appear as files at 5-minute intervals but may take up to 60 minutes to be visible. If logs are not appearing after 30 minutes, check DeliverLogsStatus for errors.

Q: What IAM permissions does the VPC Flow Logs role need?

The IAM role needs: logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogGroups on the log group resource. The trust policy must allow vpc-flow-logs.amazonaws.com to assume the role.

You enabled VPC Flow Logs, but nothing is appearing in CloudWatch or S3. The flow log shows as active in the console, yet the log group is empty. Before you recreate anything, run one command to check the actual delivery status.

Step 1: Check the Delivery Status

aws ec2 describe-flow-logs \
  --query 'FlowLogs[*].[FlowLogId,FlowLogStatus,DeliverLogsStatus,DeliverLogsErrorMessage]' \
  --output table

The DeliverLogsStatus field is either SUCCESS or FAILED. If it's FAILED, DeliverLogsErrorMessage tells you exactly what went wrong. The four most common causes follow.

Cause 1: IAM Role Permissions Missing

This is the most frequent cause. The IAM role used by the flow log needs specific permissions to write to CloudWatch Logs.

Required IAM policy for the role:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": "*" }] }

And the trust policy must allow the VPC Flow Logs service to assume the role:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" }] }

Check what trust the current role has:

aws iam get-role \
  --role-name your-flow-log-role \
  --query 'Role.AssumeRolePolicyDocument'

Cause 2: CloudWatch Log Group Doesn't Exist

When you specify a log group name that doesn't exist yet, the flow log shows as active but delivery fails silently — or shows a LogDestinationNotFoundException.

# Check if the log group exists
aws logs describe-log-groups \
  --log-group-name-prefix /vpc/flow-logs

# Create it if missing
aws logs create-log-group \
  --log-group-name /vpc/flow-logs

Tip: For S3 delivery, the bucket must exist and have a bucket policy allowing delivery from delivery.logs.amazonaws.com. The error message will say Access Denied if the bucket policy is missing.

Cause 3: Normal Delivery Delay

Flow logs are not real-time. If you just enabled them and generated some traffic, the logs may simply not have arrived yet.

CloudWatch Logs: 10–15 minute delay after traffic occurs
S3: Logs appear in 5-minute batches, but may take up to 60 minutes to be visible in S3

Wait 20 minutes after generating test traffic before concluding something is broken. Generate traffic with a simple curl from the instance:

# Generate traffic to trigger flow log entries
curl -s https://checkip.amazonaws.com
ping -c 3 8.8.8.8

Cause 4: Wrong Region

Flow logs are regional. If your VPC is in us-west-2 but you're looking at CloudWatch Logs in us-east-1, you'll see nothing. The log group must exist in the same region as the VPC.

# Confirm the region of your VPC
aws ec2 describe-vpcs \
  --vpc-ids vpc-0abc123 \
  --query 'Vpcs[*].[VpcId,OwnerId]'

# Look in the correct region
aws logs describe-log-groups \
  --region us-west-2 \
  --log-group-name-prefix /vpc/

Recreating the Flow Log (If Needed)

If the flow log is in a permanent FAILED state, delete and recreate it after fixing the underlying cause:

# Delete the broken flow log
aws ec2 delete-flow-logs --flow-log-ids fl-0abc123

# Recreate targeting the VPC
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-0abc123 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /vpc/flow-logs \
  --deliver-logs-permission-arn arn:aws:iam::123456789:role/flow-log-role

What Flow Logs Are Used For

Once working, VPC Flow Logs let you query network traffic with Athena — finding S3 traffic routing through NAT Gateway, identifying cross-AZ data transfer, or detecting unexpected internet egress. See our VPC Flow Logs query guide for 4 copy-paste Athena queries.

→ VPC Flow Logs: Read Fields and Query with Athena [4 SQL Queries] → AWS NAT Gateway Cost: Why Your Bill Is Too High [4 Fixes] → AWS VPC Topology Mapping: What the Console Hides

Frequently Asked Questions

Why are my VPC Flow Logs not appearing in CloudWatch?

Most likely cause: IAM role is missing logs:PutLogEvents or logs:CreateLogStream, or the log group doesn't exist. Run aws ec2 describe-flow-logs --query 'FlowLogs[*].DeliverLogsErrorMessage' to see the exact error.

How long does it take for VPC Flow Logs to appear?

CloudWatch: 10–15 minutes after traffic occurs. S3: up to 60 minutes. If nothing appears after 30 minutes, check DeliverLogsStatus for errors.

What IAM permissions does the VPC Flow Logs role need?

logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogGroups on the log group, with a trust policy allowing vpc-flow-logs.amazonaws.com to assume the role.

Basavytix builds AWS network visibility tooling. Netway uses VPC Flow Logs to detect S3-via-NAT patterns, cross-AZ transfers, and internet egress automatically.
Learn more at basavytix.com/netway or reach out at support@basavytix.com.

VPC Flow Logs Not Working — 4 Causes and How to Fix Each