A Amazon VPC that has VPC Flow Logs enabled captures information about the IP traffic going to and from network interfaces in your Amazon VPC. This log information may help you investigate how Amazon EC2 instances and other resources in your VPC are communicating, and what they are communicating with. You can follow the Automated Deployment of VPC lab for creating a Amazon VPC with Flow Logs enabled.
The AWS Management console provides a visual way of querying CloudWatch Logs, using CloudWatch Logs Insights and does not require any tools to be installed.
Rejected requests by IP address:
Rejected requests indicate attempts to gain access to your VPC, however there can often be noise from internet scanners. To count the rejected requests by source IP address:
filter action="REJECT" | stats count(*) as numRejections by srcAddr | sort numRejections desc
Reject requests originating from inside your VPC
Rejected requests that originate from inside your VPC may indicate your infrastructure in your VPC is attempting to connect to something it is not allowed to, e.g. a database instance is trying to connect to the internet and is blocked. This example uses regex to match the start of your VPC as 10.:
filter action="REJECT" and srcAddr like /^10\./ | stats count(*) as numRejections by srcAddr | sort numRejections desc
Requests from an IP address
If you suspect an IP address and want to list all requests that originate, replace 192.0.2.1 with the IP you suspect:
filter srcAddr = "192.0.2.1" | fields @timestamp, interfaceId, dstAddr, dstPort, action
Request count from a private IP address by destination address
If you want to list and count all connections by a private IP address, replace 10.1.1.1 with your private IP:
filter srcAddr = "10.1.1.1" | stats count(*) as numConnections by dstAddr | sort numConnections desc