---
title: "Kentik Export Configuration"
slug: "kentik-export-configuration-aws"
description: "Set up AWS Cloud Export in Kentik to collect flow logs, metadata, and metrics for enhanced telemetry analysis and monitoring of your AWS resources."
updated: 2026-04-29T13:59:14Z
published: 2026-04-29T13:59:14Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.kentik.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Kentik Export Configuration

Now that you have successfully prepared your AWS environment, by [**configuring your IAM roles**](/v1/docs/metadata-configuration-aws) (Standard or Nested) and [**granting the necessary S3 permissions for flow logs**](/v1/docs/metadata-configuration-aws), the final step is to register that setup in Kentik.

You do this by creating a **Cloud Export** in the Kentik portal. A cloud export represents the active data pipeline between your AWS architecture and Kentik, and it can be configured to collect various types of telemetry:

- [**Metadata Only**](/v1/docs/kentik-export-configuration-aws#metadataonly-export): Collects only AWS metadata. Use this when your flow logs are already being ingested by a different cloud export.
- [**Flow/Firewall Logs and Metadata**](/v1/docs/flow-firewall-log-collection-configuration): Collects telemetry logs and metadata for all entities (VPCs, subnets, interfaces, firewalls) publishing to a [**specific S3 bucket**](/v1/docs/flow-firewall-log-collection-configuration#create-an-s3-bucket). Kentik automatically creates a [**cloud device**](/v1/docs/public-clouds#cloud-devices-list) for each entity.
- **Metrics**: Cloud metrics history for historical telemetry analysis, trending, and alerting.

![Cloud export configuration settings for AWS, GCP, Azure, and OCI with observability features.](https://cdn.us.document360.io/082e25b5-afce-42d4-8f47-70bd3f1d02b7/Images/Documentation/KFA-create-cloud-export-provider-and-features(1).png)

*Configuration settings for AWS Cloud Export with various observability features listed.*

## Initial Cloud Export Steps

To create a new AWS cloud export:

1. Navigate to **Settings »** **Public Clouds**and click **Create Cloud Export**.
2. Click **AWS Cloud**.
3. Under **Observability Features**, select the data types to collect:
  1. **Metadata collection (Required): Automatically selected.**
  2. **Flow log collection**: Select to collect AWS flow logs.
    1. **Help me configure my provider via Terraform**: Choose to automatically configure the cloud export using Terraform in the next step of the wizard (see [**Automated Setup**](/v1/docs/kentik-export-configuration-aws#automated-setup)).
  3. **Firewall log collection**: Select to collect AWS firewall logs.
  4. **Cloud metrics history**: Select to collect AWS CloudWatch metrics.
4. Click the green arrow to proceed.

The next steps depend on the export type:

- [**Metadata-Only Export**](/v1/docs/kentik-export-configuration-aws#metadataonly-export)
- [**Flow/Firewall Logs and Metadata Export**](/v1/docs/kentik-export-configuration-aws#flowfirewall-logs-and-metadata-export)

## Metadata-Only Export

To set up a new AWS metadata-only cloud export, follow these steps:

1. Complete the [**Initial Cloud Export Steps**](/v1/docs/kentik-export-configuration-aws#initial-cloud-export-steps) while leaving **Flow log collection** unselected. (Selecting **Cloud metrics history** is optional).
2. In the **AWS Role** field (Required):
  1. **Standard Configuration**: Enter the ARN of the [**IAM role**](/v1/docs/metadata-configuration-aws#create-iam-role) you created in your single AWS account. Leave “This is an AWS organization role” unselected.
  2. **Nested Configuration**: Enter the ARN of the [**Primary (Hub) Role**](/v1/docs/metadata-configuration-aws#provision-the-hub-account). If using AWS Organizations to automatically discover child accounts, select the “**This is an AWS organization role**” checkbox.
  3. Click **Verify Role**.
3. Select an **AWS Region** from the dropdown (Required):
  1. Choose the region of the primary account.
  2. Click**Verify Region** (fails if the **AWS Role** is blank or invalid).
4. Specify Additional Roles (Nested Configurations Only): Expand the**Optional: Additional Metadata Roles** pane to access these options:
  1. **Secondary AWS Accounts**: Enter a comma-separated list of the [**secondary (spoke) account IDs**](/v1/docs/metadata-configuration-aws#provision-the-spoke-accounts) you configured earlier.
  2. **Regions Used Across Secondary Accounts**: Select from the filterable dropdown all regions where these secondary accounts exist.
  3. **Role suffix**: Enter the exact name of the Secondary Role you created in those accounts.
  4. Click **Verify** to validate all entered values.
5. Click the green arrow to proceed to the final step.
6. Enter the cloud export name/description:
  1. **Name** (Required): Specify or accept the default name for the cloud export.
  2. **Description**: Provide a description or accept the default.
7. Select the appropriate Kentik billing plan for the cloud export from the **Billing Plan** dropdown.
8. Click **Save** to finalize the cloud export and return to the [**Public Clouds**](/v1/docs/public-clouds) page, where the new export will be listed.

## Flow/Firewall Logs and Metadata Export

To set up a new AWS flow logs and metadata export, follow these steps:

1. Complete the [**Initial Cloud Export Steps**](/v1/docs/kentik-export-configuration-aws#initial-cloud-export-steps) while selecting **Flow log collection** and/or **Firewall log collection**.
2. Complete the first three steps of [**Metadata-Only Export**](/v1/docs/kentik-export-configuration-aws#metadataonly-export).
3. **S3 Bucket Name**: Provide the exact name of the S3 bucket where your flow logs are stored.

> [!NOTE]
> **Note**: This must be the same bucket name you added to your IAM policy’s S3 permissions in the previous step.
4. **S3 Bucket Prefix:**Specify a prefix for Kentik to add to the S3 bucket name when creating the cloud export.
5. Click **Verify S3 Bucket** to ensure the bucket is accessible and correctly configured.
6. Complete the “Optional: Additional Metadata Roles” section (described in Step 4 of [**Metadata-Only Export**](/v1/docs/kentik-export-configuration-aws#metadataonly-export))
7. **Sampling**: Configure your desired flow sampling settings (see [**Cloud Export Sampling**](/v1/docs/public-clouds#cloud-export-sampling)).
8. Click the green arrow to proceed.
9. Specify or accept the default name for the cloud export.
10. Optionally provide a description for the cloud export or accept the default.
11. Choose the appropriate Kentik billing plan for the cloud export from the dropdown.
12. Click **Save** to finalize the cloud export and return to the Public Clouds page, where the new export will be listed.

### Automated Setup

To automatically configure your AWS setup using Terraform, follow these steps.

![Options for flow log collection and AWS log management settings are displayed.](https://cdn.us.document360.io/082e25b5-afce-42d4-8f47-70bd3f1d02b7/Images/Documentation/KFA-create-cloud-export-auto-1.png)

1. Follow the [**Initial Cloud Export Steps**](/v1/docs/kentik-export-configuration-aws#initial-cloud-export-steps) and select the **Help me configure my provider via Terraform** box.
2. For AWS Provider Profile Name, the default is “default”. Enter a different name if needed.
3. Select the AWS region from the dropdown, which populates the `region` field in the generated configuration.
4. Configure settings in the **Select options** section (see [**Automated Configuration Options**](/v1/docs/kentik-export-configuration-aws#automated-configuration-options)).
5. Copy the generated configuration and save it as `main.tf` in an empty directory where Terraform will be run.
6. Execute the commands provided in the wizard to apply the configuration.
7. Click **Finish** to return to the [**Public Clouds**](/v1/docs/public-clouds#public-clouds-page) page, where the new cloud export will be listed under**Cloud Exports**.

![Configuration settings for AWS provider profile, including region and logging options.](https://cdn.us.document360.io/082e25b5-afce-42d4-8f47-70bd3f1d02b7/Images/Documentation/KFA-create-cloud-export-auto-2.png)

### Automated Configuration Options

When configuring AWS setup automatically via Terraform in Kentik, you can customize the following options:

- ![Automated configuration options for an AWS cloud export.](https://cdn.us.document360.io/082e25b5-afce-42d4-8f47-70bd3f1d02b7/Images/Documentation/KFA-create-cloud-export-automated.png)**Enable flow logs**:
  - **For all VPCs in the selected region(s)**: Automatically configures flow logs for all VPCs in the selected region.
  - **For selected VPCs in the selected region(s)**: Enter VPC IDs in the `vpc_id_list` parameter to configure only those VPCs.
- **Write logs to bucket**:
  - **Every minute (recommended)**: Provides a higher volume of logs at a consistent rate, ideal for traffic engineering, security, and real-time monitoring.
  - **Every 10 minutes** **(AWS default)**: Reduces log volume and AWS charges.
- **Automatically create necessary role in AWS account**: Decide whether to automatically create the AWS role or manage it manually according to your security protocols.
- **Use External ID**: Optionally, include an AWS external ID for Kentik to use to access your S3 bucket (see [**AWS doc on External ID**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)):
  - This ID is known only to you and Kentik. Per AWS, its primary purpose is to avoid the [**confused deputy problem**](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
  - By default, your Kentik company ID is used.
  - This ID should also be used when creating the AWS role (see [**Primary Role JSON**](/v1/docs/metadata-configuration-aws#create-a-primary-role)).

> [!NOTE]
> **Note**: If you prefer to use a 16-digit randomized string as your External ID, contact Kentik support at [**support@kentik.com**](mailto:support@kentik.com).
- **Cloud Export Name Prefix**: Specify a prefix to add to the Kentik cloud export name for easy identification.
- **S3 Bucket Prefix**: Specify a prefix to add to Kentik-created S3 bucket name.
- **IAM Role Prefix**: Specify a prefix to add to the Kentik-created IAM role.
- **Billing Plan**: Select the appropriate Kentik billing plan for the cloud export.

> [!NOTE]
> **Notes**:
> 
> - Prefix fields help in identifying and managing your cloud exports more effectively.
> - Different values can be used for each prefix field to suit your organizational needs.

## Using Your Cloud Export

Once the setup process is complete, you can view and utilize your cloud export in Kentik:

- **Cloud Exports List**
  - Go to **Settings »****Public Clouds** to see the updated list of cloud exports.
  - A new cloud export will be listed, representing the VPCs, transit gateways, subnets, or interfaces whose logs are pulled from the specified bucket.
- **Devices Column**
  - Each VPC, transit gateway, subnet, or interface sending flow logs is listed as a cloud device.
  - Devices are named after their respective VPC, transit gateway, subnet, or interface.
  - These names can be used as group-by and filter values in Kentik queries using the Device Name dimension.
- **Metadata and Mapping**
  - The collected metadata, such as routing tables, security groups, and ACLs, enables Kentik to automatically map and visualize the topology of your AWS resources in the [**Kentik Map**](/v1/docs/kentik-map).

![AWS service status overview with highlighted issues and device group details.](https://cdn.us.document360.io/082e25b5-afce-42d4-8f47-70bd3f1d02b7/Images/Documentation/image(45).png)

*The Public Clouds page lists your AWS resources as “cloud exports”, each with a service status overview, highlighted issues, and device group details.*