Menu
Amazon CloudWatch Logs
User Guide

Export Log Data to Amazon S3 Using the Console

In the following example, you'll use the Amazon CloudWatch console to export all data from an Amazon CloudWatch Logs log group named "my-log-group" to an Amazon S3 bucket named "my-exported-logs."

Step 1: Create an Amazon S3 Bucket

We recommend that you use a bucket that was created specifically for CloudWatch Logs. However, if you want to use an existing bucket, you can skip to step 2.

Note

The Amazon S3 bucket must reside in the same region as the log data to export. CloudWatch Logs does not support exporting data to Amazon S3 buckets in a different region.

To create an Amazon S3 bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. If necessary, change the region. From the navigation bar, choose the region where your CloudWatch Logs reside.

  3. Choose Create Bucket.

  4. For Bucket Name, type a name for the bucket.

  5. For Region, select the region where your CloudWatch Logs data resides.

  6. Choose Create.

Step 2: Set Permissions on an Amazon S3 Bucket

By default, all Amazon S3 buckets and objects are private. Only the resource owner, the AWS account that created the bucket, can access the bucket and any objects it contains. However, the resource owner can choose to grant access permissions to other resources and users by writing an access policy.

To set permissions on an Amazon S3 bucket

  1. In the Amazon S3 console, choose the bucket that you created in Step 1.

  2. Choose Permissions, Add bucket policy.

  3. In the Bucket Policy Editor dialog box, add the following policy, changing Resource to the name of your S3 bucket and Principal to the endpoint of the region where you are exporting log data.

    {
        "Version": "2012-10-17",
        "Statement": [
          {
              "Action": "s3:GetBucketAcl",
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::my-exported-logs",
              "Principal": { "Service": "logs.us-west-2.amazonaws.com" }
          },
          {
              "Action": "s3:PutObject" ,
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::my-exported-logs/*",
              "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } },
              "Principal": { "Service": "logs.us-west-2.amazonaws.com" }
          }
        ]
    }
  4. Choose Save to set the policy that you just added as the access policy on your bucket. This policy enables CloudWatch Logs to export log data to your Amazon S3 bucket. The bucket owner has full permissions on all of the exported objects.

    Caution

    If the existing bucket already has one or more policies attached to it, add the statements for CloudWatch Logs access to that policy or policies. We recommend that you evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the bucket.

Step 3: Create an Export Task

In this step you create the export task for exporting logs from a log group.

To export data to Amazon S3 using the CloudWatch console

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. On the Log Groups screen, select the checkbox next to a log group, and then choose Actions, Export data to Amazon S3.

  4. On the Export data to Amazon S3 screen, under Define data to export, set the time range for the data to export using From and To.

  5. If your log group has multiple log streams, you can provide a log stream prefix to limit the log group data to a specific stream. Choose Advanced, and then for Stream prefix, type the log stream prefix.

  6. Under Choose S3 bucket, choose the account associated with the Amazon S3 bucket.

  7. For S3 bucket name, choose an Amazon S3 bucket.

  8. To separate log data for each export task, you can specify an Amazon S3 prefix to be used as the Amazon S3 key prefix for all exported objects. Choose Advanced, and then for S3 Bucket prefix, type the bucket prefix.

  9. Choose Export data to export your log data to Amazon S3.

  10. To view the status of the log data that you exported to Amazon S3, choose Actions, View all exports to Amazon S3.