Use the Stax API to Enable CloudWatch VPC Flow Logs

The Python SDK is the easiest way to get started with the Stax API. The Networking components of the SDK and API allow enabling of the CloudWatch Logs component of VPCs.

Before You Begin

• Time to complete: 15 minutes

• Create a Stax API Token for use with the SDK

• Install and set up the Stax SDK

Enable CloudWatch Logs for VPC Flow Logs

Two Python scripts will be used. The first retrieves a list of VPCs and their corresponding IDs, and the second enables CloudWatch Logs for the VPC Flow Logs of a given VPC ID.

get-vpcs.py

get-vpcs.py below will return a list of all Networking Hubs and the VPCs within them. Beside each VPC is its unique ID within Stax.

import os
from staxapp.config import Config
from staxapp.openapi import StaxClient

Config.access_key = os.getenv("STAX_ACCESS_KEY")
Config.secret_key = os.getenv("STAX_SECRET_KEY")

networksClient = StaxClient("networking")
hubs = networksClient.ReadHubs()['Hubs']
vpcs = networksClient.ReadVpcs()['Vpcs']

for hub in hubs:
 print(f'|\n|-- Hub: {hub["Name"]} ({hub["Region"]}, id: {hub["Id"]})') 
 for vpc in vpcs:
   if vpc['NetworkingHubId'] == hub['Id']:
     print(f'| |-- {vpc["Name"]} (id: {vpc["Id"]})')

Invoke the script with your own API access key and secret key as follows:

$ STAX_ACCESS_KEY=myaccesskey STAX_SECRET_KEY=mysecretkey python get-vpcs.py

A response similar to the below will be returned:

|
|-- Hub: prod-apse2 (ap-southeast-2, zd_id: 8c0a3d8f-432a-4d7a-a277-4afd69be7d54)
| |-- apse2-website-prod (4c975bcd-fd09-4095-bad2-78eec379da44)
| |-- stax-prod-apse2-transit-vpc (bca299a8-855b-452e-8364-2cd1eba30ba9)
| |-- apse2-shared-prod (dc7ea159-3677-4c48-b05d-317b29db3cd5)

enable-vpc-cwl.py

enable-vpc-cwl.py below will enable CloudWatch Logs for the VPC flow logs of a given VPC ID. This is the Stax ID of the VPC (a UUID), not the AWS identifier for the VPC.

import json
import os
from staxapp.config import Config
from staxapp.openapi import StaxClient
Config.access_key = os.getenv("STAX_ACCESS_KEY")
Config.secret_key = os.getenv("STAX_SECRET_KEY")
networksClient = StaxClient("networking")
vpc_id = os.getenv("VPC_ID")
body = {  "CreateCloudwatchVpcFlowlogs": True}
response = networksClient.UpdateVpc(vpc_id=vpc_id, **body)
print(json.dumps(response,indent=2))

Invoke the script with your own API access key and secret key, as well as a VPC ID as follows:

$ STAX_ACCESS_KEY=myaccesskey STAX_SECRET_KEY=mysecretkey VPC_ID=dc7ea159-3677-4c48-b05d-317b29db3cd5 python enable-vpc-cwl.py

A response similar to the below will be returned:

{
    "DetailType": "stax.networking.vpc",
    "Detail": {
        "Message": {
            "TaskId": "7e138167-fd8a-4206-b6f6-c71fc6ae9909",
            "CustomerId": "3e0cc83a-6829-4621-ab1b-e0b93ae6b0ef",
            "TraceId": "Root=1-5f8e5fb6-3154a3e52dfcdbcd6057d596"
        },
        "TraceId": "Root=1-5f8e5fb6-3154a3e52dfcdbcd6057d596",
        "Operation": "networking:UpdateVpc",
        "OperationStatus": "STARTED",
        "Severity": "info"
    }
}

Make a note of the TaskId returned by the output. You can then monitor the task status to ensure the operation completes successfully.

For more examples of using the Stax Python SDK, see the examples.