VPC flow logs help us capture IP traffic to and from our VPCs. Data from VPC flow logs can be published to either CloudWatch logs or to an S3 bucket. We can choose to log only accepted traffic, rejected traffic, or both. VPC flow logs can be created at different levels, such as the VPC level, subnet level, and Network Interface level. 

In the recipe, within the filter dropdown, we selected All to log all IP traffic to and from our VPCs. We can choose Accept to log only accepted traffic, Reject to log only rejected traffic, and All to log both accepted and rejected traffic. We needed a CloudWatch log group and an IAM role with permission to log to that log group. We created the IAM role from the console using the Set Up Permissions link on the Create flow log screen.