runbooks vpc flow-log-queryΒΆ
Auto-generated from
runbooks vpc flow-log-query --helpon 2026-05-21. Source of truth: runbooks PyPI package v1.3.22
Usage: runbooks vpc flow-log-query [OPTIONS]
Query VPC flow logs in CloudWatch Logs Insights for traffic to/from an IP
address.
Finds the CloudWatch log group for the given VPC, runs a Logs Insights query
filtered by source/destination IP, and displays the top 20 flows by bytes.
Traffic classification: ORPHANED -- 0 flows in the period LOW -- <
100 flows/day average ACTIVE -- >= 100 flows/day average
READONLY -- no mutations.
Examples: runbooks vpc flow-log-query --instance-ip 10.0.1.5 --vpc-id
vpc-0abc123 --profile ops runbooks vpc flow-log-query --instance-ip
10.0.1.5 --vpc-id vpc-0abc123 --days 14 --profile ops
Options:
--profile TEXT AWS profile for single-account operations.
π Profile Selection Guide:
βββββββββββββββββββββββββββββββββββββββββββββββ
Single Account β Use --profile YOUR_PROFILE
Example: --profile dev-account When:
Developer/operator working in one AWS account
Multi-Account LZ β Use --all-profiles (see
inventory commands) Example: --all-profiles
When: Platform team discovering across
organization
π Enrichment Profiles (Automatic): β’
Organizations: MANAGEMENT_PROFILE β’ Costs:
BILLING_PROFILE Note: Separate from discovery
profile
Decision: Single account = --profile | Multi-
account = --all-profiles
--region TEXT AWS region override (default: ap-southeast-2)
--dry-run Safe analysis mode - no resource modifications
(enterprise default)
--instance-ip IP_ADDRESS IP address to query flow logs for (e.g. 10.0.1.5)
[required]
--vpc-id VPC_ID VPC ID that owns the flow logs (e.g. vpc-0abc123)
[required]
--days INTEGER Lookback window in days (default: 7) [default: 7]
--output [table|json] Output format (default: table)
--help Show this message and exit.